A newly disclosed vulnerability in Apache Tomcat’s CGI servlet could allow attackers to bypass security constraints under certain conditions. Tracked as CVE-2025-46701, the flaw affects multiple Tomcat versions and was publicly disclosed on May 29, 2025.
The vulnerability results from improper case sensitivity handling in the pathInfo component of URLs mapped to the CGI servlet, particularly when Tomcat is deployed on case-insensitive file systems with configured security constraints.
Impact and Risk Level
Although rated low severity, the flaw may allow unauthorized access to protected CGI resources. The vulnerability only affects systems where CGI support is explicitly enabled—a feature that is disabled by default in all versions of Tomcat.
Environments that do not use CGI functionality or that run Tomcat on case-sensitive file systems are not impacted.
Affected Versions
The vulnerability spans a wide range of Apache Tomcat versions:
- Tomcat 11.0.0-M1 through 11.0.6
- Tomcat 10.1.0-M1 through 10.1.40
- Tomcat 9.0.0-M1 through 9.0.104
Patch and Mitigation
The Apache Software Foundation has released patched versions that correct the case sensitivity issue within the CGI servlet:
- Tomcat 11.0.7
- Tomcat 10.1.41
- Tomcat 9.0.105
Organizations using CGI should immediately upgrade to one of these versions. Those not using CGI are advised to verify that the feature remains disabled to reduce exposure.
Security Guidance
- Check if CGI support is enabled in Tomcat deployments.
- If enabled, verify that path-based security constraints are not vulnerable.
- Apply the latest security patches provided by Apache.
- Disable CGI if it is not required for the application environment.
- Continue regular security audits and follow Apache’s security advisories.
