CVE-2025-31651

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.For a subset of unlikely rewrite rule configurations, it was possible 
for a specially crafted request to bypass some rewrite rules. If those 
rewrite rules effectively enforced security constraints, those 
constraints could be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
VendorProductVersion
apachetomcat
9.0.0 ≤
𝑥
< 9.0.104
apachetomcat
10.1.0 ≤
𝑥
< 10.1.40
apachetomcat
11.0.0 ≤
𝑥
< 11.0.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
postponed
sid
10.1.40-1
fixed
trixie
10.1.40-1
fixed
tomcat11
sid
11.0.6-1
fixed
trixie
11.0.6-1
fixed
bullseye
postponed
tomcat9
bullseye
postponed
bullseye (security)
vulnerable
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://lists.apache.org/list.html?announce@tomcat.apache.org
http://www.openwall.com/lists/oss-security/2025/04/28/3