CVE-2025-55752: 
Java vulnerability analysis and mitigation

A directory traversal vulnerability (CVE-2025-55752) was discovered in Apache Tomcat, affecting versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0.M11 through 9.0.108. The vulnerability was introduced as a regression from a fix for bug 60013, where rewritten URLs are normalized before being decoded (Debian Tracker, Security Online).

The vulnerability stems from a regression in URL rewrite handling where the rewritten URL is normalized before it is decoded. This flaw allows attackers to manipulate query parameters in the request URI to bypass security constraints, particularly the protection for /WEB-INF/ and /META-INF/ directories. The issue was discovered by Chumy Tsai of CyCraft Technology and is rated as Important severity (Cybersecurity News).

If exploited, this vulnerability allows attackers to bypass access controls and security constraints. In configurations where PUT requests are enabled, attackers could potentially upload malicious files, leading to remote code execution (RCE). However, PUT requests are typically limited to trusted users, making the likelihood of exploitation in standard configurations relatively low (Security Online).

Users are strongly advised to upgrade to the patched versions: Tomcat 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later. Organizations should audit their configurations, particularly focusing on instances where PUT requests are enabled alongside URL rewriting features (Debian Tracker).