CVE-2025-31651

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
References
Link Resource
https://lists.apache.org/list.html?announce@tomcat.apache.org Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/04/28/3 Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*

History

06 May 2025, 14:15

Type Values Removed Values Added
CWE CWE-150

05 May 2025, 20:14

Type Values Removed Values Added
CPE cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
CWE CWE-116
First Time Apache
Apache tomcat
References () https://lists.apache.org/list.html?announce@tomcat.apache.org - () https://lists.apache.org/list.html?announce@tomcat.apache.org - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2025/04/28/3 - () http://www.openwall.com/lists/oss-security/2025/04/28/3 - Mailing List, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8

29 Apr 2025, 13:52

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de neutralización incorrecta de secuencias de escape, metadatos o de control en Apache Tomcat. En un subconjunto de configuraciones improbables de reglas de reescritura, una solicitud especialmente manipulada podía eludir algunas reglas de reescritura. Si dichas reglas aplicaban restricciones de seguridad de forma eficaz, estas podían eludirse. Este problema afecta a Apache Tomcat: de la 11.0.0-M1 a la 11.0.5, de la 10.1.0-M1 a la 10.1.39 y de la 9.0.0.M1 a la 9.0.102. Se recomienda a los usuarios actualizar a la versión [FIXED_VERSION], que soluciona el problema.

28 Apr 2025, 22:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/04/28/3 -

28 Apr 2025, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-04-28 20:15

Updated : 2025-05-06 21:16


NVD link : CVE-2025-31651

Mitre link : CVE-2025-31651

CVE.ORG link : CVE-2025-31651


JSON object : View

Products Affected

apache

  • tomcat
CWE
CWE-116

Improper Encoding or Escaping of Output