CVE-2025-31651

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.For a subset of unlikely rewrite rule configurations, it was possible 
for a specially crafted request to bypass some rewrite rules. If those 
rewrite rules effectively enforced security constraints, those 
constraints could be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions 
may also be affected.


Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
VendorProductVersion
apachetomcat
9.0.0 ≤
𝑥
< 9.0.104
apachetomcat
10.1.0 ≤
𝑥
< 10.1.40
apachetomcat
11.0.0 ≤
𝑥
< 11.0.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
vulnerable
bookworm (security)
vulnerable
forky
10.1.40-1
fixed
sid
10.1.40-1
fixed
trixie
10.1.40-1
fixed
tomcat11
forky
11.0.6-1
fixed
sid
11.0.6-1
fixed
trixie
11.0.6-1
fixed
tomcat9
bullseye
vulnerable
bullseye (security)
9.0.107-0+deb11u1
fixed
bookworm
9.0.70-2
fixed
forky
9.0.95-1
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Common Weakness Enumeration
References
https://lists.apache.org/list.html?announce@tomcat.apache.org
http://www.openwall.com/lists/oss-security/2025/04/28/3