VDB

DEBIAN-CVE-2025-31651

DEBIAN-CVE-2025-31651 PUBLISHED CVSS 9.800000190734863 CRITICAL

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Debian:13tomcat110, 0
Debian:14tomcat110, 0
Debian:11tomcat99.0.43-2~deb11u1, 9.0.43-2~deb11u11, *
Debian:14tomcat90, 0
Debian:13tomcat90, 0
Debian:12tomcat90, 0
Debian:13tomcat100, 0
Debian:14tomcat100, 0
Debian:12tomcat1010.1.30-1~bpo12+1, 10.1.31-1, 10.1.33-1

Exploit Intelligence

Timeline

  • Apr 28, 2025 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›