[like] Marco Krammer reacted to your message: ________________________________ From: Mark Thomas <ma...@apache.org> Sent: Monday, June 16, 2025 1:59:33 PM To: Tomcat Users List <users@tomcat.apache.org> Cc: annou...@apache.org <annou...@apache.org>; annou...@tomcat.apache.org <annou...@tomcat.apache.org>; Tomcat Developers List <d...@tomcat.apache.org> Subject: [SECURITY] CVE-2025-49125 Apache Tomcat - Security constraint bypass for pre/post-resources
CVE-2025-49125 Apache Tomcat - Security constraint bypass for pre/post-resources Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.7 Apache Tomcat 10.1.0-M1 to 10.1.41 Apache Tomcat 9.0.0.M1 to 9.0.105 Description: When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.8 or later - Upgrade to Apache Tomcat 10.1.42 or later - Upgrade to Apache Tomcat 9.0.106 or later Credit: Greg K (https://github.com/gregk4sec) History: 2025-06-16 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ***Disclaimer*** This message is confidential, for the exclusive use of the intended recipient and may contain privileged information. If you are not the intended recipient, any use of this message is strictly prohibited. In case you have received this message in error, please delete it from your system and notify the sender immediately by e-mail. Thank you. -- E-mails may be intercepted, altered or read by unauthorized persons. If you contact us by e-mail, we take this as your authorization to correspond with you by e-mail.
