{
  "threat_severity" : "Important",
  "public_date" : "2025-10-27T17:29:56Z",
  "bugzilla" : {
    "description" : "tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE",
    "id" : "2406591",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2406591"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-23",
  "details" : [ "Relative Path Traversal vulnerability in Apache Tomcat.\nThe fix for bug 60013 introduced a regression where the       rewritten URL was normalized before it was decoded. This introduced the       possibility that, for rewrite rules that rewrite query parameters to the       URL, an attacker could manipulate the request URI to bypass security       constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.", "A directory traversal vulnerability in Apache Tomcat caused by improper URL normalization during request rewriting. When specific rewrite rules are used, an attacker could craft a malicious request to bypass access restrictions and reach protected directories such as /WEB-INF/ or /META-INF/. If HTTP PUT requests are also enabled, this flaw could allow the upload of malicious files, potentially leading to remote code execution." ],
  "statement" : "This vulnerability is rated as Important rather than Critical because successful exploitation depends on specific, non-default configuration conditions. The flaw only becomes exploitable when both URL rewriting rules that modify the request path are in use and HTTP PUT requests are enabled — a feature typically restricted to administrative or trusted users. In standard Tomcat deployments, PUT is disabled or tightly controlled, and rewrite configurations rarely expose sensitive paths. Therefore, while the issue could theoretically lead to remote code execution, the limited attack surface and requirement for uncommon setup conditions significantly reduce its overall risk level.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23050",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "tomcat-1:10.1.36-3.el10_1.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23052",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "tomcat9-1:9.0.87-8.el10_1.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23051",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "tomcat-1:10.1.36-1.el10_0.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23053",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "tomcat9-1:9.0.87-5.el10_0.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23048",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "tomcat-1:9.0.87-1.el8_10.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2725",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.2",
    "package" : "pki-deps:10.6-8020020260128173505.4cda2c84"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2724",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "pki-deps:10.6-8040020260129154709.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2724",
    "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4",
    "package" : "pki-deps:10.6-8040020260129154709.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2726",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.6",
    "package" : "pki-deps:10.6-8060020260128101437.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2726",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6",
    "package" : "pki-deps:10.6-8060020260128101437.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-02-16T00:00:00Z",
    "advisory" : "RHSA-2026:2726",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6",
    "package" : "pki-deps:10.6-8060020260128101437.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23045",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.8",
    "package" : "tomcat-1:9.0.87-1.el8_8.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23045",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8",
    "package" : "tomcat-1:9.0.87-1.el8_8.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23049",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "tomcat-1:9.0.87-6.el9_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0292",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "pki-servlet-engine-1:9.0.43-4.el9_0.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23046",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "tomcat-1:9.0.87-1.el9_2.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0293",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "pki-servlet-engine-1:9.0.50-1.el9_2.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23047",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "tomcat-1:9.0.87-1.el9_4.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2025-12-10T00:00:00Z",
    "advisory" : "RHSA-2025:23044",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "tomcat-1:9.0.87-3.el9_6.4"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.8.6",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22924",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8",
    "package" : "tomcat-catalina"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 7",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22925",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el7",
    "package" : "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 8",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22925",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el8",
    "package" : "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 9",
    "release_date" : "2025-12-09T00:00:00Z",
    "advisory" : "RHSA-2025:22925",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el9",
    "package" : "jws5-tomcat-0:9.0.87-14.redhat_00013.1.el9jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6.1.3",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19810",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1",
    "package" : "tomcat-catalina"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6.1 on RHEL 10",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19809",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el10",
    "package" : "jws6-tomcat-0:10.1.36-19.redhat_00018.1.el10jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6.1 on RHEL 8",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19809",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el8",
    "package" : "jws6-tomcat-0:10.1.36-19.redhat_00018.1.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6.1 on RHEL 9",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19809",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el9",
    "package" : "jws6-tomcat-0:10.1.36-19.redhat_00018.1.el9jws"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-04T00:00:00Z",
    "advisory" : "RHSA-2026:6569",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "tomcat11-main-11.0.21-0.1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-15T00:00:00Z",
    "advisory" : "RHSA-2026:8334",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "tomcat10-main-10.1.54-1.hum1"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces (RHOSDS) 3.25",
    "release_date" : "2025-12-15T00:00:00Z",
    "advisory" : "RHSA-2025:23225",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3.25::el9",
    "package" : "devspaces/server-rhel9:3.25.0-1765225950"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Certificate System 10",
    "fix_state" : "Not affected",
    "package_name" : "redhat-pki:10/jss",
    "cpe" : "cpe:/a:redhat:certificate_system:10"
  }, {
    "product_name" : "Red Hat Certificate System 10",
    "fix_state" : "Affected",
    "package_name" : "redhat-pki:10/redhat-pki",
    "cpe" : "cpe:/a:redhat:certificate_system:10"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "tomcat-catalina",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "dogtag-pki",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "jss",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "mod_proxy_cluster",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "log4j:2/log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "pki-deps:10.6/pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "jss",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "log4j",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "mod_proxy_cluster",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "pki-core",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat-catalina",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Not affected",
    "package_name" : "jbcs-httpd24-mod_cluster-native",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  }, {
    "product_name" : "Red Hat JBoss Core Services",
    "fix_state" : "Not affected",
    "package_name" : "jbcs-httpd24-mod_proxy_cluster",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat-catalina",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat-catalina-ha",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "tomcat-catalina",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "tomcat-catalina-ha",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "tomcat-catalina",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "tomcat-catalina-ha",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "fix_state" : "Not affected",
    "package_name" : "jws5-mod_cluster",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "fix_state" : "Affected",
    "package_name" : "tomcat-catalina-ant",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "fix_state" : "Affected",
    "package_name" : "tomcat-catalina-ha",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6",
    "fix_state" : "Not affected",
    "package_name" : "jws6-mod_cluster",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6",
    "fix_state" : "Affected",
    "package_name" : "tomcat-catalina-ant",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6",
    "fix_state" : "Affected",
    "package_name" : "tomcat-catalina-ha",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/server-rhel8",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Affected",
    "package_name" : "tomcat-catalina",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat-catalina",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-55752\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-55752\nhttps://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a\nhttps://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog" ],
  "name" : "CVE-2025-55752",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\nTo reduced the risk, by disabling or strictly limiting the use of HTTP PUT requests to trusted, authenticated users only. Additionally, administrators should review and adjust URL rewrite rules to ensure they do not manipulate request paths in ways that could expose protected directories such as /WEB-INF/ or /META-INF/. Implementing strict access controls and monitoring for unexpected rewrite or upload behavior can further minimize potential exploitation.",
    "lang" : "en:us"
  },
  "csaw" : false
}