Improper Neutralization Affecting org.apache.tomcat:tomcat-catalina package, versions [9.0.76,9.0.104)[10.1.10,10.1.40)[11.0.0-M2,11.0.6)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.02% (4th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGAPACHETOMCAT-9905137
  • published30 Apr 2025
  • disclosed28 Apr 2025
  • creditCOSCO Shipping Lines DIC

Introduced: 28 Apr 2025

NewCVE-2025-31651  (opens in a new tab)
CWE-150  (opens in a new tab)

How to fix?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.104, 10.1.40, 11.0.6 or higher.

Overview

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Neutralization in the RewriteValve class, which handles rewrite rules. If rewrite rules are configured to enforce security constraints, those security constraints can be bypassed in some cases by sending a malicious request involving ; or ? characters.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

CVSS Base Scores

version 4.0
version 3.1