CVE-2025-55752: 
Java vulnerability analysis and mitigation

A Relative Path Traversal vulnerability (CVE-2025-55752) was discovered in Apache Tomcat, affecting versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108, and 8.5.6 through 8.5.100. The vulnerability was disclosed on October 27, 2025, and stems from a regression introduced in the fix for bug 60013 where rewritten URLs were normalized before being decoded (NVD).

The vulnerability occurs due to improper URL normalization during request rewriting, where the rewritten URL is normalized before being decoded. This creates a security issue specifically when rewrite rules are configured to rewrite query parameters to the URL. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to manipulate the request URI to bypass security constraints, including protections for /WEB-INF/ and /META-INF/ directories. In scenarios where PUT requests are enabled, attackers could potentially upload malicious files, leading to remote code execution (SecurityOnline).

Users are strongly recommended to upgrade to the patched versions: Tomcat 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later, which contain fixes for this vulnerability. These updates address the URL normalization issue and restore proper security constraints (NVD).