CVE-2025-49125: 
Java vulnerability analysis and mitigation

A critical Authentication Bypass vulnerability (CVE-2025-49125) was discovered in Apache Tomcat and disclosed on June 16, 2025. The vulnerability affects multiple versions of Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, and from 9.0.0.M1 through 9.0.105. The vulnerability was discovered by Greg K and has been classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (NVD, OSS Security).

The vulnerability manifests when using PreResources or PostResources mounted at locations other than the root of the web application. In such configurations, it becomes possible to access these resources through an unexpected path that might not be protected by the same security constraints as the expected path, effectively allowing security constraints to be bypassed. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD, Wiz).

The vulnerability enables attackers to bypass security constraints and gain unauthorized access to resources that should be protected. This could potentially lead to unauthorized access to sensitive resources within the web application (Wiz).

Users are strongly recommended to upgrade to the fixed versions: Apache Tomcat 11.0.8, 10.1.42, or 9.0.106, which contain patches for this vulnerability (NVD, OSS Security).