Bug 2362782 (CVE-2025-31651)

Summary: CVE-2025-31651 tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aogburn, cchiang, csutherl, gregk4sec, jclere, jiahli, pjindal, plodge, prodsec-dev, szappis, vrajput
Target Milestone: ---Keywords: Security
Target Release: ---Flags: aogburn: needinfo? (prodsec-dev)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Apache Tomcat's rewrite rule processing component. This vulnerability allows security constraints to be bypassed via specially crafted HTTP requests when specific, uncommon rewrite rule configurations are in use.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2363040, 2363041, 2363042    
Bug Blocks:    

Description OSIDB Bzimport 2025-04-28 20:01:19 UTC 
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible 
for a specially crafted request to bypass some rewrite rules. If those 
rewrite rules effectively enforced security constraints, those 
constraints could be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Comment 8 Greg K 2025-05-15 02:20:13 UTC 
see apache httpd CVE-2024-38474, this issue is not identical