NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.

To learn about what's going on, see About the Archive Site.

[thredds] Fwd: [SECURITY] CVE-2025-49125 Apache Tomcat - Security constraint bypass for pre/post-resources

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2025-49125 Apache Tomcat - Security constraint bypass for pre/post-resources
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Mon, 16 Jun 2025 09:51:29 -0600
Hi all,

A few new CVEs were announced, including two with a severity level of
"Important" (these latter two are not relevant to the TDS, but could be
problematic if you are also hosting applications that permit file uploads).

Please upgrade to the latest version of Tomcat.

---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Mon, Jun 16, 2025 at 8:19 AM
Subject: [SECURITY] CVE-2025-49125 Apache Tomcat - Security constraint
bypass for pre/post-resources
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx <
announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>


CVE-2025-49125 Apache Tomcat - Security constraint bypass for
pre/post-resources

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105

Description:
When using PreResources or PostResources mounted other than at the root
of the web application, it was possible to access those resources via an
unexpected path. That path was likely not to be protected by the same
security constraints as the expected path, allowing those security
constraints to be bypassed.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.8 or later
- Upgrade to Apache Tomcat 10.1.42 or later
- Upgrade to Apache Tomcat 9.0.106 or later

Credit:
Greg K (https://github.com/gregk4sec)

History:
2025-06-16 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html


-- 
------------------------------------------------------------------------------------
Jennifer Oxelson Ganter                                       NSF Unidata
Software Engineer IV                                          P.O. Box 3000
oxelson@xxxxxxxx                                       Boulder, CO 80307
------------------------------------------------------------------------------------
  • 2025 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: