Overview
Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It implements several Java Enterprise Edition (Java EE) specifications including Java Servlet, JavaServer Pages (JSP), and WebSocket, allowing it to run Java web applications. Tomcat is widely used in both development and production environments due to its lightweight nature, ease of configuration, and compatibility with various Java applications.
A Path Traversal vulnerability (CVE-2025-49124) has been identified in Apache Tomcat’s Installer for Windows.
The Open Web Application Security Project (OWASP) explains that Path Traversal attacks (also known as directory traversal) aim to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).
This issue affects multiple versions of Apache Tomcat below 11.0.8.
Details
Module Info
- Product: Apache Tomcat
- Affected packages: Apache Tomcat Installer for Windows
- Affected versions: >=9.0.23 <9.0.106, >=10.1.0 <10.1.42, >=11.0.0-M1 <11.0.8
- GitHub repository: https://github.com/apache/tomcat
- Published packages:
- Package manager: Maven
- Fixed in: NES 8.5.101, 9.0.106, 10.1.42, and 11.0.8
Vulnerability Info
During installation, the Tomcat Installer for Windows used icalcs.exe without specifying a full path. An attacker of a vulnerable application may be able to manipulate the installer to access other arbitrary files on the file system.
Mitigation
Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Apache Tomcat.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credit
- T. Doğa Gelişli https://linkedin.com/in/tdogagelisli/ (finder)