Apache Tomcat RNTL in URL Rewrite (11.0.10,10.1.44,9.0.108)
CVE-2025-55752 Published on October 27, 2025
Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled
Relative Path Traversal vulnerability in Apache Tomcat.
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Vulnerability Analysis
CVE-2025-55752 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Relative Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Products Associated with CVE-2025-55752
stack.watch emails you whenever new vulnerabilities are published in Apache Tomcat or F5 Networks Tomcat. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 11.0.0-M1, <= 11.0.10 is affected.
- Version 10.1.0-M1, <= 10.1.44 is affected.
- Version 9.0.0.M11, <= 9.0.108 is affected.
- Version 8.5.6, <= 8.5.100 is affected.
- Version 3 and below 8.5.0 is unknown.
- Version 10.0.0-M1, <= 10.0.27 is unknown.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.