7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49125

CVE-2025-49125: Apache Tomcat - Security constraint bypass for pre/post-resources

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-49125

CVE-2025-49125:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat-catalina	maven	>= 11.0.0-M1, <= 11.0.7	11.0.8
org.apache.tomcat:tomcat-catalina	maven	>= 10.1.0-M1, <= 10.1.41	10.1.42
org.apache.tomcat:tomcat-catalina	maven	>= 9.0.0.M1, <= 9.0.105	9.0.106
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 11.0.0-M1, <= 11.0.7	11.0.8
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 10.1.0-M1, <= 10.1.41	10.1.42
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 9.0.0.M1, <= 9.0.105	9.0.106

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in how Apache Tomcat handled paths for PreResources or PostResources when they were mounted at a location other than the web application's root. Specifically, the path.startsWith(webAppMount) check used in several methods within AbstractArchiveResourceSet and DirResourceSet was too permissive. This allowed an attacker to craft a path that would satisfy this check but would not be a legitimate sub-path of the mounted resource. For example, if a resource was mounted at /app/secure, a request for /app/securedirectory (note the missing trailing slash after 'secure') could be misinterpreted as being part of the /app/secure mount due to the startsWith check. This could lead to bypassing security constraints that were intended to protect resources under /app/secure/. The patch addresses this by introducing a new method, isPathMounted(String path, String webAppMount), in AbstractResourceSet.java. This method performs a more stringent check: it ensures that if path starts with webAppMount, then either path is identical to webAppMount, or the character immediately following webAppMount in path must be a forward slash ('/'). This prevents the aforementioned path confusion. The vulnerable functions are those that previously used the path.startsWith() check and were modified to use the new isPathMounted() method. These functions are involved in listing, retrieving, creating, and writing resources, and their exploitation could lead to an authentication bypass by accessing resources through an unexpected, less-secured path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-49125: Apache Tomcat - Security constraint bypass for pre/post-resources

CVE-2025-49125:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-49125: Apache Tomcat - Security constraint bypass for pre/post-resources

Technical Details

Basic Information

Basic Information

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI