Relative Path Traversal Affecting org.apache.tomcat:tomcat-catalina package, versions [,9.0.109)[10.1.0-M1,10.1.45)[11.0.0-M1,11.0.11)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Relative Path Traversal vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JAVA-ORGAPACHETOMCAT-13734146
- published29 Oct 2025
- disclosed27 Oct 2025
- creditChumy Tsai
Introduced: 27 Oct 2025
NewCVE-2025-55752 (opens in a new tab)How to fix?
Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.109, 10.1.45, 11.0.11 or higher.
Overview
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.
Affected versions of this package are vulnerable to Relative Path Traversal via the URL normalization. An attacker can bypass security constraints and access restricted directories such as /WEB-INF/ and /META-INF/ by manipulating the request URI. If PUT requests are also enabled then malicious files could be uploaded leading to remote code execution.
Note:
- Older, EOL versions may also be affected.
- PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.