CVE-2025-31651

EUVD-2025-13626

28.04.2025, 20:15

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 41%

Affected Products (NVD)

Vendor	Product	Version
apache	tomcat	9.0.0 ≤ 𝑥 < 9.0.104
apache	tomcat	10.1.0 ≤ 𝑥 < 10.1.40
apache	tomcat	11.0.0 ≤ 𝑥 < 11.0.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat10

bookworm	10.1.52-1~deb12u1 fixed
bookworm (security)	10.1.52-1~deb12u1 fixed
forky	10.1.54-1 fixed
sid	10.1.54-1 fixed
trixie	10.1.52-1~deb13u1 fixed
trixie (security)	10.1.52-1~deb13u1 fixed

tomcat11

forky	11.0.21-1 fixed
sid	11.0.22-2 fixed
trixie	11.0.15-1~deb13u1 fixed
trixie (security)	11.0.15-1~deb13u1 fixed

tomcat9

bookworm	9.0.70-2 fixed
bullseye	vulnerable
bullseye (security)	9.0.107-0+deb11u2 fixed
forky	9.0.118-1 fixed
sid	9.0.118-1 fixed
trixie	9.0.95-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

tomcat

suse enterprise sap 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP7	9.0.104-150200.81.1 fixed
suse enterprise server 12 SP5	9.0.115-3.160.1 fixed
suse enterprise server 15 SP2	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP7	9.0.104-150200.81.1 fixed

tomcat-admin-webapps

suse enterprise sap 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP7	9.0.104-150200.81.1 fixed
suse enterprise server 12 SP5	9.0.115-3.160.1 fixed
suse enterprise server 15 SP2	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP7	9.0.104-150200.81.1 fixed

tomcat-docs-webapp

suse enterprise server 12 SP5

9.0.115-3.160.1

fixed

tomcat-el-3_0-api

suse enterprise sap 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP7	9.0.104-150200.81.1 fixed
suse enterprise server 12 SP5	9.0.115-3.160.1 fixed
suse enterprise server 15 SP2	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP7	9.0.104-150200.81.1 fixed

tomcat-javadoc

suse enterprise server 12 SP5

9.0.115-3.160.1

fixed

tomcat-jsp-2_3-api

suse enterprise sap 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP7	9.0.104-150200.81.1 fixed
suse enterprise server 12 SP5	9.0.115-3.160.1 fixed
suse enterprise server 15 SP2	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP7	9.0.104-150200.81.1 fixed

tomcat-lib

suse enterprise sap 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP7	9.0.104-150200.81.1 fixed
suse enterprise server 12 SP5	9.0.115-3.160.1 fixed
suse enterprise server 15 SP2	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP7	9.0.104-150200.81.1 fixed

tomcat-servlet-4_0-api

suse enterprise sap 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP7	9.0.104-150200.81.1 fixed
suse enterprise server 12 SP5	9.0.115-3.160.1 fixed
suse enterprise server 15 SP2	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP7	9.0.104-150200.81.1 fixed

tomcat-webapps

suse enterprise sap 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise sap 15 SP7	9.0.104-150200.81.1 fixed
suse enterprise server 12 SP5	9.0.115-3.160.1 fixed
suse enterprise server 15 SP2	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP3	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP4	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP5	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP6	9.0.104-150200.81.1 fixed
suse enterprise server 15 SP7	9.0.104-150200.81.1 fixed

tomcat10

suse enterprise sap 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP7	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP7	10.1.40-150200.5.40.1 fixed

tomcat10-admin-webapps

suse enterprise sap 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP7	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP7	10.1.40-150200.5.40.1 fixed

tomcat10-el-5_0-api

suse enterprise sap 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP7	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP7	10.1.40-150200.5.40.1 fixed

tomcat10-jsp-3_1-api

suse enterprise sap 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP7	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP7	10.1.40-150200.5.40.1 fixed

tomcat10-lib

suse enterprise sap 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP7	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP7	10.1.40-150200.5.40.1 fixed

tomcat10-servlet-6_0-api

suse enterprise sap 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP7	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP7	10.1.40-150200.5.40.1 fixed

tomcat10-webapps

suse enterprise sap 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise sap 15 SP7	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP5	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP6	10.1.40-150200.5.40.1 fixed
suse enterprise server 15 SP7	10.1.40-150200.5.40.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

tomcat

RHEL 8	1:9.0.87-1.el8_10.7 fixed
RHEL 8.8 E4S	1:9.0.87-1.el8_8.8 fixed
RHEL 8.8 TUS	1:9.0.87-1.el8_8.8 fixed
RHEL 9	1:9.0.87-6.el9_7.1 fixed

tomcat-admin-webapps

RHEL 8	1:9.0.87-1.el8_10.7 fixed
RHEL 8.8 E4S	1:9.0.87-1.el8_8.8 fixed
RHEL 8.8 TUS	1:9.0.87-1.el8_8.8 fixed
RHEL 9	1:9.0.87-6.el9_7.1 fixed

tomcat-docs-webapp

RHEL 8	1:9.0.87-1.el8_10.7 fixed
RHEL 8.8 E4S	1:9.0.87-1.el8_8.8 fixed
RHEL 8.8 TUS	1:9.0.87-1.el8_8.8 fixed
RHEL 9	1:9.0.87-6.el9_7.1 fixed

tomcat-el-3.0-api

RHEL 8	1:9.0.87-1.el8_10.7 fixed
RHEL 8.8 E4S	1:9.0.87-1.el8_8.8 fixed
RHEL 8.8 TUS	1:9.0.87-1.el8_8.8 fixed
RHEL 9	1:9.0.87-6.el9_7.1 fixed

tomcat-jsp-2.3-api

RHEL 8	1:9.0.87-1.el8_10.7 fixed
RHEL 8.8 E4S	1:9.0.87-1.el8_8.8 fixed
RHEL 8.8 TUS	1:9.0.87-1.el8_8.8 fixed
RHEL 9	1:9.0.87-6.el9_7.1 fixed

tomcat-lib

RHEL 8	1:9.0.87-1.el8_10.7 fixed
RHEL 8.8 E4S	1:9.0.87-1.el8_8.8 fixed
RHEL 8.8 TUS	1:9.0.87-1.el8_8.8 fixed
RHEL 9	1:9.0.87-6.el9_7.1 fixed

tomcat-servlet-4.0-api

RHEL 8	1:9.0.87-1.el8_10.7 fixed
RHEL 8.8 E4S	1:9.0.87-1.el8_8.8 fixed
RHEL 8.8 TUS	1:9.0.87-1.el8_8.8 fixed
RHEL 9	1:9.0.87-6.el9_7.1 fixed

tomcat-webapps

RHEL 8	1:9.0.87-1.el8_10.7 fixed
RHEL 8.8 E4S	1:9.0.87-1.el8_8.8 fixed
RHEL 8.8 TUS	1:9.0.87-1.el8_8.8 fixed
RHEL 9	1:9.0.87-6.el9_7.1 fixed

Common Weakness Enumeration

CWE-116 - Improper Encoding or Escaping of Output
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

https://lists.apache.org/list.html?announce@tomcat.apache.org

http://www.openwall.com/lists/oss-security/2025/04/28/3

https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html