Introduction
Attackers can bypass security constraints and potentially access or upload files to protected directories in Apache Tomcat when specific rewrite rules are in use. This vulnerability, tracked as CVE-2025-55752, affects a broad range of Tomcat versions and arises from a regression in the handling of rewritten URLs. The issue is particularly significant for organizations with custom rewrite configurations and those that have enabled HTTP PUT requests.
Apache Tomcat is a foundational component of the Java web ecosystem, powering a substantial portion of enterprise and cloud applications worldwide. Its widespread use means vulnerabilities can have far-reaching impact across industries and critical infrastructure.
Technical Information
CVE-2025-55752 is a relative path traversal vulnerability in Apache Tomcat's RewriteValve. The root cause is a regression introduced by the fix for bug 60013, which changed the processing order so that rewritten URLs are normalized before decoding. This allows an attacker to craft request URIs that, when processed by certain rewrite rules (such as those rewriting query parameters into the path), can bypass Tomcat's security constraints designed to protect directories like /WEB-INF/ and /META-INF/.
The vulnerability is only exploitable in configurations where rewrite rules manipulate the URI in a way that interacts with path traversal sequences. For example, a rewrite rule that rewrites a query parameter into the path could be abused with a request like /foo?bar=../WEB-INF/web.xml, which after rewriting and normalization could allow access to protected files if the decoding step reveals traversal sequences that were not caught by security checks.
If HTTP PUT requests are enabled (which is not the default), an attacker could exploit this path traversal to upload malicious files to sensitive locations, potentially achieving remote code execution. This escalation requires both a vulnerable rewrite configuration and PUT support on the DefaultServlet.
The vulnerability is classified under CWE-23 (Relative Path Traversal). The specific technical flaw is the normalization-before-decoding order, which creates a window where encoded traversal sequences can evade intended security checks.
Affected Systems and Versions
- Apache Tomcat 11.0.0-M1 through 11.0.10
- Apache Tomcat 10.1.0-M1 through 10.1.44
- Apache Tomcat 9.0.0.M11 through 9.0.108
- Apache Tomcat 8.5.6 through 8.5.100 (EOL as of March 31, 2024)
Vulnerable configurations include those with custom rewrite rules that rewrite query parameters into the URL path or otherwise manipulate the URI in a way that could introduce traversal sequences. Exploitation risk increases if HTTP PUT requests are enabled on the DefaultServlet.
Vendor Security History
Apache Tomcat has a history of vulnerabilities related to URL rewriting and path traversal, including regressions from previous fixes (such as bug 60013). The project maintains active security advisories and typically releases patches promptly. However, the complexity of supporting multiple major versions and diverse deployment configurations can result in occasional regressions and delayed remediation for some users.
