CVE-2025-55752: Relative Path Traversal in Apache Tomcat Rewrite Valve

Open source powers the modern software stack, but its security depends on a shared commitment to finding and fixing weaknesses before they become incidents.

At HeroDevs, that's our mission: secure open source. We do it in two ways:

1. Remediating known CVEs across critical ecosystems, and
2. Proactively researching vulnerabilities before attackers can exploit them.

A new high-severity vulnerability, CVE-2025-55752, has been disclosed by the Apache Tomcat project. The flaw sits in the rewrite valve's URL handling: a regression from an earlier bugfix causes the rewritten URL to be normalized before it is decoded, which lets an attacker bypass the security constraints that protect /WEB-INF/ and /META-INF/. When combined with PUT enabled on the servlet, this becomes a path to remote code execution.

For Apache Tomcat 8.5, which reached end of life in March 2024, there is no upstream patch. NES for Apache Tomcat delivers the fix in 8.5.103 as a secure drop-in replacement.

‍

What is CVE-2025-55752?

CVE-2025-55752 is a relative path traversal vulnerability (CWE-23) in Apache Tomcat's request URI handling. The regression was introduced by the fix for Tomcat bug 60013, which changed the order of URL normalization and decoding in the rewrite pipeline.

The sequence matters. When a rewrite rule rewrites query parameters into the URL path, Tomcat now normalizes the resulting URI first and decodes it afterward. That ordering means percent-encoded traversal sequences (such as %2e%2e%2f for ../) survive normalization untouched, then get decoded into active path segments that walk out of the intended directory. The security constraints that guard /WEB-INF/ and /META-INF/ operate on the normalized-but-not-yet-decoded form, so the check passes while the actual request reaches the restricted location.

Two impact scenarios follow from that primitive:

• Information disclosure: an attacker can read sensitive files inside /WEB-INF/ (classes, web.xml, credentials) and /META-INF/, bypassing the constraints that are supposed to keep those paths private.
• Remote code execution: if the servlet's readonly init parameter has been set to false (which enables PUT/DELETE on the default servlet), the same primitive lets an attacker upload a JSP or other executable file into a location that gets served and executed in the Tomcat context.

Apache notes that PUT is normally restricted to trusted users and is rarely combined with rewrite rules that manipulate the URI, which is reflected in the CVSS attack complexity.

‍

Technical detail

‍

A note on the vector: PR:L means the attacker needs at least low privileges, not that the vulnerability is unauthenticated. In practice, this aligns with scenarios where the attacker can reach a rewrite-enabled endpoint and, for the RCE chain, has credentials sufficient to use the PUT method. AC:H reflects the specific configuration conditions (rewrite rule rewriting a query parameter into the URL) required for the traversal to trigger.

Who is affected?

This vulnerability affects every currently maintained Tomcat branch plus the EOL 8.5 line.

‍

Apache's advisory explicitly notes that "other, older, EOL versions may also be affected." Tomcat 8.5 reached end of life on March 31, 2024, and the Apache Tomcat project does not publish security fixes for EOL branches. Organizations running Tomcat 8.5 in production have no upstream path to remediation.

Remediation

‍

For NES for Apache Tomcat customers, the fix ships in 8.5.103 with no code changes or migration required. The replacement binary drops into an existing Tomcat 8.5 deployment and resolves the vulnerability along with every other CVE HeroDevs has remediated on the 8.5 line.

For teams still planning a migration off 8.5, NES buys the runway to execute that migration on your timeline rather than under the pressure of an unpatched high-severity CVE. Recent HeroDevs coverage of other Tomcat CVEs worth reviewing on the same deployments includes CVE-2025-24813, CVE-2025-31651, CVE-2025-46701, and CVE-2025-55754.

‍

Taking action

CVE-2025-55752 is a clear example of how EOL compounds risk. A regression in Tomcat 8.5.6 sat in the rewrite pipeline for years, and the Apache team's fix only reaches versions that are still in community support. For every organization running Tomcat 8.5, this is a high-severity vulnerability with a documented RCE path and no upstream remedy.

If your organization depends on Apache Tomcat 8.5 or earlier, this is exactly the kind of risk HeroDevs exists to address. NES for Apache Tomcat delivers secure drop-in replacements with remediated CVEs, so you can stay protected and compliant without an emergency migration.

Full vulnerability details, version breakdowns, and the VEX document are available on the HeroDevs vulnerability directory entry for CVE-2025-55752.