Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
References
Link | Resource |
---|---|
https://lists.apache.org/list.html?announce@tomcat.apache.org | Mailing List Vendor Advisory |
http://www.openwall.com/lists/oss-security/2025/04/28/3 | Mailing List Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
06 May 2025, 14:15
Type | Values Removed | Values Added |
---|---|---|
CWE |
05 May 2025, 20:14
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* | |
CWE | CWE-116 | |
First Time |
Apache
Apache tomcat |
|
References | () https://lists.apache.org/list.html?announce@tomcat.apache.org - Mailing List, Vendor Advisory | |
References | () http://www.openwall.com/lists/oss-security/2025/04/28/3 - Mailing List, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
29 Apr 2025, 13:52
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
28 Apr 2025, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Apr 2025, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-04-28 20:15
Updated : 2025-05-06 21:16
NVD link : CVE-2025-31651
Mitre link : CVE-2025-31651
CVE.ORG link : CVE-2025-31651
JSON object : View
Products Affected
apache
- tomcat
CWE
CWE-116
Improper Encoding or Escaping of Output