Home

Description

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

PUBLISHED Reserved 2025-03-31 | Published 2025-04-28 | Updated 2026-02-26 | Assigner apache

Problem types

CWE-116 Improper Encoding or Escaping of Output

Product status

Default status
unaffected

11.0.0-M1 (semver)
affected

10.1.0-M1 (semver)
affected

9.0.0.M1 (semver)
affected

8.5.0 (semver)
affected

8.0.0.RC1 (semver) before 8.5.0
unknown

10.0.0-M1 (semver)
unknown

Credits

COSCO Shipping Lines DIC finder

References

www.openwall.com/lists/oss-security/2025/04/28/3

lists.debian.org/debian-lts-announce/2025/07/msg00009.html

lists.apache.org/list.html?announce@tomcat.apache.org vendor-advisory

cve.org (CVE-2025-31651)

nvd.nist.gov (CVE-2025-31651)

Download JSON