10 Tomcat CVEs to Watch Out for in 2025 (Patched by HeroDevs NES)
From RCE to DoS, these 2025 Apache Tomcat vulnerabilities target versions still widely used in production. HeroDevs NES neutralizes the threat.
.png)
Research shows these vulnerabilities impacted widely‑used versions of Tomcat—many on your production path. Here’s what you should know:
1. CVE-2025‑24813 – Partial PUT Remote Code Execution (RCE)
Critical Severity
If Tomcat’s default servlet write was enabled along with partial PUT, attackers could overwrite or inject code into sensitive files, potentially triggering RCE. Affects 11.0.0‑M1 to 11.0.2.
Patched in:
- Tomcat 11.0.3
- HeroDevs NES for Tomcat: 8.5.101, 9.0.99, 10.1.35, and 11.0.3
2. CVE-2025-31651 – Improper Neutralization of Escape, Meta, or Control Sequences Vulnerability (Command Injection)
Critical Severity
A vulnerability in Tomcat’s RewriteRule allows attackers to bypass security mechanisms by exploiting improperly handled characters like ; or ?. This can lead to unauthorized access to protected resources. Affects: 9.0.76 – 9.0.103, 10.1.10 – 10.1.39, 11.0.0-M2 – 11.0.5
Patched in:
- Tomcat 9.0.104, 10.1.40, 11.0.6
- HeroDevs NES for Tomcat: 8.5.101, 9.0.104, 10.1.40, and 11.0.6
3. CVE-2025‑31650 – HTTP/2 Priority Header Memory Leak (DoS)
High Severity
Improper input handling when processing malformed HTTP/2 priority headers can trigger memory leaks, leading to OutOfMemory errors and service outages. Affects Tomcat versions 9.0.76–9.0.102, 10.1.10–10.1.39, 11.0.0‑M2–11.0.5
Patched in:
- Tomcat 9.0.104, 10.1.40, 11.0.6
- HeroDevs NES for Tomcat: 8.5.101+
4. CVE-2025-46701 – Improper Handling of Case Sensitivity in CGI Servlet (Path Traversal)
High Severity
A vulnerability in Tomcat’s CGI servlet allows attackers to bypass security constraints by exploiting inconsistencies in case sensitivity when accessing URI components. This can lead to unauthorized access to sensitive resources. Affects: 9.0.0-M1 – 9.0.104, 10.1.0-M1 – 10.1.40, 11.0.0-M1 – 11.0.6
Patched in:
- Tomcat 9.0.105, 10.1.41, 11.0.7
- HeroDevs NES for Tomcat: 8.5.101, 9.0.105, 10.1.41, and 11.0.7
5. CVE-2025‑48988 – Multipart Upload DoS via Part Count (DoS)
High Severity
Tomcat used the same limit for both parts and headers, allowing crafted uploads with excessive parts to degrade memory. Affects 11.0.0‑M1 to 11.0.7.
Patched in:
- Tomcat 11.0.8
- HeroDevs NES for Tomcat: 8.5.101, 9.0.106, 10.1.42, and 11.0.8
6. CVE-2025‑49124 – Windows Installer Path Side‑Loading (Path Traversal)
High Severity
On Windows, using icacls.exe without a full path created a side-loading vulnerability during installation. Affects versions 11.0.0‑M1 to 11.0.7.
Patched in:
- Tomcat 11.0.8
- HeroDevs NES for Tomcat: 8.5.101, 9.0.106, 10.1.42, and 11.0.8
7. CVE-2025‑49125 – Pre/Post‑Resources Path Bypass (Authorization Bypass)
Medium Severity
Uncommon resource mount configurations allowed a bypass of security constraints—impacting versions up to 11.0.7.
Patched in:
- Tomcat 11.0.8
- HeroDevs NES for Tomcat: 8.5.101, 9.0.106, 10.1.42, and 11.0.8
8. CVE-2025‑52434 – APR/native Connector DoS via Memory Fault (DoS)
Medium Severity
A flaw in Tomcat’s APR/native connector could be abused to exhaust service memory, causing downtime.
Patched in:
- Tomcat 11.0.8
- HeroDevs NES for Tomcat: 8.5.102, 9.0.107
9. CVE-2025‑52520 – Multipart Request Size Tracking Error (DoS)
Medium Severity
Tomcat improperly managed multipart request size tracking, allowing attackers to overflow memory limits. Fixed in NES 8.5.102 docs.herodevs.com.
Patched in:
- Tomcat 11.0.8
- HeroDevs NES for Tomcat: 8.5.102, 9.0.107, 10.1.43, and 11.0.9
10. CVE-2025‑53506 – HTTP/2 Stream Limit (DoS)
Medium Severity
Failing to enforce initial connection limits opened the door to DoS via too many unacknowledged HTTP/2 streams.
Patched in:
- Tomcat 11.0.8
- HeroDevs NES for Tomcat: 8.5.102, 9.0.107, 10.1.43, and 11.0.9
.png)
.png)
.png)