CVE-2025-31651: 
Java vulnerability analysis and mitigation

A security vulnerability (CVE-2025-31651) was discovered in Apache Tomcat's rewrite rule processing component, involving improper neutralization of escape, meta, or control sequences. The vulnerability affects Apache Tomcat versions 11.0.0-M1 through 11.0.5, 10.1.0-M1 through 10.1.39, and 9.0.0.M1 through 9.0.102. The issue was disclosed on April 28, 2025, and was discovered by COSCO Shipping Lines DIC (NVD, Wiz).

The vulnerability is classified as CWE-116 (Improper Encoding or Escaping of Output). The National Vulnerability Database has assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating critical severity with network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

When exploited, this vulnerability allows attackers to bypass security constraints in certain rewrite rule configurations. For a subset of unlikely rewrite rule configurations, specially crafted requests can bypass rewrite rules that enforce security constraints, potentially compromising system security (NVD, Wiz).

Users are strongly recommended to upgrade to the fixed versions: Apache Tomcat 11.0.6, 10.1.40, or 9.0.104, which contain the necessary security patches (Wiz).