Overview

Recently, NSFOCUS CERT detected that Apache issued a security bulletin to fix the Apache Tomcat path traversal vulnerability (CVE-2025-55752); This vulnerability is a flaw introduced when fixing CVE-2016-5388. Since the rewritten URL is normalized before URL decoding, if the system is configured with rewrite rules to rewrite query parameters into the URL, an authenticated attacker can bypass security restrictions on protected directories such as /WEB-INF/ and /META-INF/ by constructing specially crafted URIs. When the target server also enables the PUT method, an attacker can upload malicious files to achieve remote code execution. CVSS score 7.5, affected users should take protective measures as soon as possible.

Reference link: https://www.mail-archive.com/[email protected]/msg10465.html

Scope of Impact

Affected versions

• 11.0.0-M1 <= Apache Tomcat <= 11.0.10
• 10.1.0-M1 <= Apache Tomcat <= 10.1.44
• 9.0.0.M1 <= Apache Tomcat <= 9.0.108
• 8.5.6 <= Apache Tomcat <= 8.5.100(EOL)

Note: Earlier versions that have been officially discontinued from maintenance may also be affected.

Unaffected versions

• Apache Tomcat >= 11.0.11
• Apache Tomcat >= 10.1.45
• Apache Tomcat >= 9.0.109

Detection

Manual inspection

The name of the installation package downloaded from the Apache Tomcat official website will contain the version number of Tomcat. If the user does not change the directory name of Tomcat after unzipping, you can determine the current version by checking the folder name.

If the name of the unzipped Tomcat directory has been modified, or it is installed through Windows Service Installer, you can use the version module that comes with the software to obtain the current version. You can also enter the bin directory of the Tomcat installation directory and run version.bat (Linux running version.sh) to view the current software version number.

Users can check whether the PUT method is turned on by checking the system’s conf\web.xml file: org.apache.catalina.servlets.DefaultServlet readonly is set to false.

Risk Investigation of Exposure Surface

NSFOCUS External Attack Surface Management Service (EASM) supports the Internet asset investigation of CVE-2025-55752 vulnerability risks. It has helped service customer groups complete exposure surface investigations and conduct vulnerability warnings and closed-loop disposal in a timely manner before threats occur. Interested customers can arrange detailed consultation and communication by contacting their local regional colleagues at NSFOCUS or sending an email to [email protected].

Mitigation

Official upgrade

At present, the official has released a new version to fix the vulnerability. It is recommended that affected users upgrade their protection in time.

Download link:

https://tomcat.apache.org/download-11.cgi

https://tomcat.apache.org/download-10.cgi

https://tomcat.apache.org/download-90.cgi

Temporary measures

If the relevant users are temporarily unable to perform upgrade operations, the following measures can also be used for temporary relief:

1. Under the premise of not affecting business, relevant users can set the readonly parameter in the conf/web.xml file to true or make comments.

2. Disable the PUT method and restart the Tomcat service to make the configuration effective.

3. Check URL rewrite rules to restrict access to protected directories such as /WEB-INF/ and /META-INF/.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.

Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.

Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.

The post Apache Tomcat Path Traversal Vulnerability (CVE-2025-55752) Notice appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

*** This is a Security Bloggers Network syndicated blog from NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. authored by NSFOCUS. Read the original post at: https://nsfocusglobal.com/apache-tomcat-path-traversal-vulnerability-cve-2025-55752-notice/