Multiple Recent Vulnerabilities in Apache Tomcat
Two significant vulnerabilities have been identified in Apache Tomcat, each with distinct attack vectors and impacts. CVE-2025-61795 is an improper resource shutdown or release vulnerability that can lead to a denial-of-service (DoS) condition if temporary files from multipart uploads are not cleaned up promptly, potentially exhausting disk space and exposing sensitive data. This issue affects Tomcat versions 11.0.0-M1 through 11.0.11, 10.1.0-M1 through 10.1.46, 9.0.0.M1 through 9.0.109, and several end-of-life versions, with patches available in 11.0.12, 10.1.47, and 9.0.110 and later. CVE-2025-55752 is a relative path traversal vulnerability introduced by a regression in the fix for a previous bug, allowing attackers to bypass security constraints and potentially upload malicious files if specific, non-default configurations are present. This vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108, and certain EOL versions, with fixes in 11.0.11, 10.1.45, and 9.0.109 and later.
Both vulnerabilities require prompt attention from administrators, especially those running affected Tomcat versions. The DoS vulnerability (CVE-2025-61795) can be exploited by attackers to exhaust server resources, while the path traversal flaw (CVE-2025-55752) could lead to remote code execution under specific conditions. Organizations are advised to upgrade to the latest patched versions to mitigate these risks and review their Tomcat configurations to ensure that non-default features such as HTTP PUT requests and URL rewriting are not unnecessarily enabled.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
F5 publishes advisory for Apache Tomcat CVE-2025-61795
F5 issued product advisory K000157847 for the Apache Tomcat vulnerability CVE-2025-61795. The reference does not include additional synopsis or impact details.
F5 publishes advisory for Apache Tomcat CVE-2025-55752
F5 issued product advisory K000157846 بشأن the Apache Tomcat vulnerability CVE-2025-55752. The reference provides no further synopsis or technical details.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache Tomcat Patches for URL Rewrite Bypass and Console Injection Vulnerabilities
Apache Tomcat released security updates addressing two critical vulnerabilities: a URL rewrite bypass (CVE-2025-55752) that could allow directory traversal and potential remote code execution (RCE) if the HTTP PUT method is enabled, and a console ANSI injection flaw (CVE-2025-55754) that could enable manipulation of log messages via escape sequences. The affected versions include Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.M11 to 9.0.108, with users and administrators urged to apply the necessary patches immediately to mitigate risk. The URL rewrite bypass vulnerability allows attackers to craft malicious requests that evade security controls, potentially leading to unauthorized file access or code execution on vulnerable servers. The console ANSI injection issue could be exploited to alter log output, possibly obscuring malicious activity or facilitating further attacks. Security advisories from both Apache and national cybersecurity authorities emphasize the importance of prompt remediation to prevent exploitation in the wild.
Mar 21, 2026
Apache Tomcat OCSP Validation Flaws Let CLIENT_CERT Authentication Fail Open
Apache disclosed two moderate-severity vulnerabilities, **CVE-2026-29145** and **CVE-2026-34500**, affecting **Apache Tomcat** and, in one case, **Apache Tomcat Native**, where OCSP-based certificate validation can sometimes **soft-fail even when soft-fail is disabled**. In affected deployments using `CLIENT_CERT` authentication, this can cause certificate checks not to fail as expected, potentially allowing authentication to proceed under conditions that should have been rejected. The first flaw impacts Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M7 through 10.1.52, and 9.0.83 through 9.0.115, as well as Tomcat Native 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, and 2.0.0 through 2.0.13; Tomcat through 8.5.100 was listed as unaffected. Apache said the second flaw, **CVE-2026-34500**, affects OCSP checking with **FFM** and extends to Tomcat 11.0.0-M14 through 11.0.20, 10.1.22 through 10.1.53, and 9.0.92 through 9.0.116. The project urged users to upgrade to fixed releases: for **CVE-2026-29145**, Tomcat 11.0.20, 10.1.53, or 9.0.116 and Tomcat Native 1.3.7 or 2.0.14; for **CVE-2026-34500**, Tomcat 11.0.21, 10.1.54, or 9.0.117. Apache credited **gregk4sec** with reporting CVE-2026-29145 and **Haruki Oyama of Waseda University** with reporting CVE-2026-34500.
Apr 10, 2026
Multiple Vulnerabilities Disclosed in Apache Traffic Server and Apache Tomcat
German authorities published security advisories for **Apache Traffic Server** and **Apache Tomcat/Tomcat Native**, warning of multiple vulnerabilities affecting the widely used web proxy, caching, and Java application server products. The notices identify separate issues in the two Apache projects, indicating that organizations running these technologies should review vendor guidance and determine whether exposed internet-facing services or internal application platforms are affected. The advisories provide limited public detail, but the affected software is commonly deployed in enterprise web delivery and application environments, raising the risk of service disruption, unauthorized access, or further compromise if vulnerable instances remain unpatched. Security teams are expected to prioritize asset identification, apply available updates from the Apache projects and downstream vendors, and monitor systems using **Apache Traffic Server**, **Apache Tomcat**, and **Tomcat Native** for signs of exploitation or abnormal activity.
Apr 10, 2026