Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2025-46701
Back to All
CVE

CVE-2025-46701

Apache Tomcat - CGI security constraint bypass

Description

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.

Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

Base CVSS

7.3

EPSS Score

0.02%

Introduced Version

6.0.13

Fix Available

9.0.105,10.1.41,11.0.7

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
org.apache.tomcat:tomcat-catalina
7.0.55
CVES Fixed
C
2
H
17
M
0
L
0
Code Changed
+3137
-434

References

https://github.com/apache/tomcat/commit/2c6800111e7d8d8d5403c07978ea9bff3db5a5a5
http://www.openwall.com/lists/oss-security/2025/05/29/4
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.105
https://nvd.nist.gov/vuln/detail/CVE-2025-46701
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.41
https://github.com/apache/tomcat/commit/fab7247d2f0e3a29d5daef565f829f383e10e5e2
https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j
https://github.com/apache/tomcat/commit/0f01966eb60015d975525019e12a087f05ebf01a
https://github.com/apache/tomcat/commit/8df00018a252baa9497615d6420fb6c10466fa74
https://github.com/apache/tomcat/commit/238d2aa54b99f91d1111467e2237d2244c64e558
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.7
https://github.com/apache/tomcat/commit/8cb95ff03221067c511b3fa66d4f745bc4b0a605
https://github.com/apache/tomcat

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01