CVE-2025-55752: Apache Tomcat Path Traversal Vulnerability

Vendor Discription:-

Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages (JSP), and WebSocket technologies, developed by the Apache Software Foundation. It serves as a lightweight, reliable, and widely-used web server and servlet container for deploying Java-based web applications. Tomcat is known for its performance, ease of configuration, and strong community support, making it a preferred choice for enterprise-grade applications and microservices architectures. It is often used in development and production environments to run dynamic content and support scalable, high-availability web services.

CVE-2025-55752 Description:-

With a classification of “Important,” CVE-2025-55752 is regarded as the more serious. This vulnerability, which allows attackers to exploit directory traversal using altered URLs, resulted from a regression during the resolution of a previous bug (bug 60013). Malicious actors may be able to get around Tomcat’s built-in safeguards for important directories like /WEB-INF/ and /META-INF/ by creating request URIs that are normalized before decoding. Enabling HTTP PUT requests increases the risk since malicious files could be uploaded by attackers, which could result in remote code execution on the server. However, PUT requests are limited to trusted users in the majority of production settings, which reduces the possibility of instant exploitation.

Impact:-

1. Directory Traversal: Attackers can bypass Tomcat’s default protections and access sensitive directories.
2. Information Disclosure: Unauthorized reading of configuration files, credentials, or source code.
3. Remote Code Execution (RCE): If PUT or file upload is enabled, malicious JSP or script files could be uploaded and executed.
4. Web Application Compromise: Successful exploitation may lead to modification or defacement of hosted web apps.
5. Privilege Escalation & Persistence: Attackers could plant backdoors or maintain unauthorized access to the server.

Mitigations:-

1. Upgrade Tomcat: Update to the patched version (once officially released) to fix the normalization flaw.
2. Disable HTTP PUT/DELETE: Unless explicitly required, disable PUT and DELETE methods in web.xml or server configuration.
3. Apply Input Validation: Implement strict path validation and URL normalization at the application layer.
4. Use Read-Only File Permissions: Restrict Tomcat process permissions to prevent file uploads or modifications.
5. Monitor & Patch Regularly: Continuously monitor Tomcat’s security advisories and apply updates promptly to avoid regression-based exploits.