CVE-2025-46701

Apache Tomcat: Security constraint bypass for CGI scripts

Severity Score

7.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.
The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

It was discovered that Tomcat did not correctly handle case sensitivity. An attacker could possibly use this issue to bypass authentication mechanisms. Elysee Franchuk discovered that Tomcat did not correctly limit the number of attributes for a session. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 24.04 LTS.

*Credits: Greg K (https://github.com/gregk4sec)

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-04-28 CVE Reserved
2025-04-29 First Exploit
2025-05-29 CVE Published
2025-08-08 CVE Updated
2025-08-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-178: Improper Handling of Case Sensitivity

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://github.com/gregk4sec/CVE-2025-46701	2025-04-29

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j	2025-08-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 11.0.0-M1 <= 11.0.6 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 11.0.0-M1 <= 11.0.6"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 10.1.0-M1 <= 10.1.40 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 10.1.0-M1 <= 10.1.40"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 9.0.0.M1 <= 9.0.104 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 9.0.0.M1 <= 9.0.104"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 8.5.0 <= 8.5.100 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 8.5.0 <= 8.5.100"		en		Affected