CVE-2025-46701: Apache Tomcat: Security constraint bypass for CGI scripts

Description

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104.

Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

Classification

CVE ID: CVE-2025-46701

Problem Types

CWE-178 Improper Handling of Case Sensitivity

Affected Products

Vendor: Apache Software Foundation

Product: Apache Tomcat

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.73% (scored less or equal to compared to others)

EPSS Date: 2025-06-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-46701
https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j

Timeline

2025-05-29 20:40:12 UTC
CVE

Apache Tomcat: Security constraint bypass for CGI scripts
2025-05-29 23:15:30 UTC
Github Advisory Database (Maven)

[org.apache.tomcat.embed:tomcat-embed-core] Apache Tomcat - CGI security constraint bypass
2025-05-29 23:15:30 UTC
Github Advisory Database (Maven)

[org.apache.tomcat:tomcat-catalina] Apache Tomcat - CGI security constraint bypass