Summary
| Vulnerability Name | Apache Tomcat Directory Traversal via Rewrite Valve (CVE-2025-55752) |
| Released on | October 29, 2025 |
| Affected Component | Apache Tomcat |
| Affected Version |
8.5.6 ≤ Apache Tomcat ≤ 8.5.100
9.0.0.M11 ≤ Apache Tomcat ≤ 9.0.108
10.1.0-M1 ≤ Apache Tomcat ≤ 10.1.44
11.0.0-M1 ≤ Apache Tomcat ≤ 11.0.10
|
| Vulnerability Type | Directory traversal |
| Exploitation Condition |
1. User authentication: not required.
2. Preconditions:
3. Directory traversal is possible if the target Tomcat server is configured with the rewrite valve and the rewrite rules rewrite query parameters to the URL.
4. Remote code execution is possible if the PUT request feature or Web Distributed Authoring and Versioning (WebDAV) is enabled and the upload feature can be exploited.
5. Trigger mode: remote.
|
| Impact |
Exploitation difficulty: easy. Attackers can exploit this vulnerability to access sensitive directories without authorization.
Severity: high-risk. This vulnerability enables attackers to access files in sensitive directories.
|
| Official Solution | Available |
About the Vulnerability
Component Introduction
Apache Tomcat is an open-source implementation of the Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations, and Jakarta Authentication specifications. These specifications are part of the Jakarta EE platform.
Vulnerability Description
On October 29, 2025, Sangfor FarSight Labs received notification of the directory traversal vulnerability in Apache Tomcat (CVE-2025-55752), classified as high-risk in threat level.
Specifically, Apache Tomcat contains a directory traversal vulnerability. It is a regression defect introduced due to the remediation of legacy vulnerabilities, which can cause rewritten URLs to be normalized before they are decoded. Attackers can exploit URL rewrite rules to manipulate the request uniform resource identifier (URI) to bypass security constraints on sensitive directories such as /WEB-INF/ and /META-INF/. Furthermore, if the Tomcat server has also enabled HTTP PUT requests, attackers can upload malicious files, ultimately achieving remote code execution.
Affected Versions
The following Apache Tomcat versions are affected:
8.5.6 ≤ Apache Tomcat ≤ 8.5.100
9.0.0.M11 ≤ Apache Tomcat ≤ 9.0.108
10.1.0-M1 ≤ Apache Tomcat ≤ 10.1.44
11.0.0-M1 ≤ Apache Tomcat ≤ 11.0.10
Solutions
Remediation Solution
Official Solution
The latest version has been officially released to fix the vulnerability. Affected users are advised to update Apache Tomcat to the latest version.
Sangfor Solutions
Vulnerability Detection
The following Sangfor products can proactively detect CVE-2025-55752 vulnerabilities and quickly identify vulnerability risks in batches in business scenarios:
- Athena Managed Detection and Response (MDR): The corresponding detection solution will be released on November 20, 2025. The rule ID is SF-0005-21060.
- Athena XDR: The corresponding detection solution has been released, which uses the fuzz module for detection.
Vulnerability Monitoring
The following Sangfor products support CVE-2025-55752 vulnerability monitoring, and can quickly identify affected assets and the impact scope in business scenarios in real time through traffic collection:
- Cyber Command: The corresponding monitoring solution will be released on November 07, 2025. The rule IDs are 11029703 and 11029704.
- Athena MDR: The corresponding monitoring solution will be released on November 07, 2025. The rule IDs are 11029703 and 11029704. In this case, make sure that Athena MDR is integrated with Cyber Command.
- Athena XDR: The corresponding monitoring solution will be released on November 07, 2025. The rule IDs are 11029703 and 11029704.
Vulnerability Prevention
The following Sangfor products can effectively block CVE-2025-55752 exploits:
- Network Secure: The corresponding prevention solution will be released on November 07, 2025. The rule IDs are 11029703 and 11029704.
- Sangfor Web Application Firewall: The corresponding prevention solution will be released on November 07, 2025. The rule IDs are 11029703 and 11029704.
- Athena MDR: The corresponding prevention solution will be released on November 07, 2025. The rule IDs are 11029703 and 11029704. In this case, make sure that Athena MDR is integrated with Network Secure.
- Athena XDR: The corresponding prevention solution will be released on November 07, 2025. The rule IDs are 11029703 and 11029704. In this case, make sure that Athena XDR is integrated with Network Secure.
Timeline
On October 29, 2025, Sangfor FarSight Labs received notification of the directory traversal vulnerability in Apache Tomcat (CVE-2025-55752).
On October 29, 2025, Sangfor FarSight Labs released a vulnerability alert.
References
https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for custo
