Associated Vulnerability
Title:Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled (CVE-2025-55752)Description:Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Description
CVE-2025-55752, Apache Tomcat that allows directory traversal via URL rewrite, and under certain conditions, leads to remote code execution (RCE) if HTTP PUT is enabled.
Readme
🚨🚨 CVE-2025-55752 — Apache Tomcat: Directory-protection bypass via Rewrite Valve → PUT-based RCE🚨🚨
Summary
CVE-2025-55752 is a security regression in Apache Tomcat introduced while fixing bug #60013. When the Rewrite Valve is used, Tomcat applies *path normalization* before *URL decoding*. This incorrect ordering enables crafted URIs to bypass the access checks implemented in `StandardContextValve.java` for protected paths such as `/WEB-INF/` and `/META-INF/`. If the server accepts HTTP `PUT` requests (or exposes any writable file-upload endpoint), an attacker can upload malicious artifacts (for example `.jsp` or serialized sessions) and achieve remote code execution (RCE).
---
🚨 Affected versions
* Apache Tomcat **11.0.0-M1** through **11.0.10**
* Apache Tomcat **10.1.0-M1** through **10.1.44**
* Apache Tomcat **9.0.0.M11** through **9.0.108**
> Older end-of-life (EOL) Tomcat branches that included the rewrite/normalization change may also be affected. Verify against your specific distribution/vendor build.
---
🚨 Impact
* **Confidentiality / Integrity / Availability:** High — a successful exploit may allow arbitrary file write under the webapp context and lead to remote code execution.
* **Typical targets:** Tomcat installations using the Rewrite Valve or URL rewriting features, especially when HTTP `PUT` (or other write-capable endpoints) is enabled or when webapps permit file uploads without sufficient validation.
* **Attack surface:** Publicly accessible web servers running affected Tomcat versions with writable endpoints or permissive rewrite rules.
---
🚨🚨 Technical details (concise)
1. The Rewrite Valve performs *normalization* (path canonicalization) before *URL decoding*.
2. An attacker crafts a URI that, after normalization but before decoding, bypasses `StandardContextValve` protections for `/WEB-INF/` and `/META-INF/`.
3. If the server accepts `PUT` or has a file-upload endpoint that places files under the webapp document root, the attacker can write `.jsp` or other executable content into a location that the server serves/executed, resulting in RCE.
---
Remediation & defense strategies
Immediate (recommended)
* **Upgrade Tomcat** to a fixed, supported release as soon as possible:
* **11.0.11+**, **10.1.45+**, or **9.0.109+** (or later) — these releases include the fix for the normalization/decoding ordering and related access checks.
If immediate upgrade is not feasible (temporary mitigations)
1. **Disable HTTP `PUT`** at the server, connector, or reverse-proxy level (e.g., via web server config or firewall rules).
2. **Harden / remove Rewrite rules** that allow arbitrary rewriting to writable locations; specifically remove rules that rewrite or forward query parameters into file paths.
3. **Harden file-upload handling** in web applications:
* Enforce server-side file type/extension checks and strict destination path validation.
* Deny uploads that attempt to place files under `/WEB-INF/`, `/META-INF/`, or any application classpath.
4. **Filter/Block exploit URIs** at perimeter (WAF / reverse proxy) by blocking suspicious encoded payloads and patterns that attempt to bypass `/WEB-INF` or `/META-INF` protections.
5. **Least privilege for file stores:** ensure webapp process cannot write to directories that are served or executed by the container.
---
Function Overview
This tool performs two-step detection based on the official CVE-2025-55752 description:
1. Attempts to exploit the incorrect ordering of URL normalization before decoding in Apache Tomcat’s Rewrite Valve, allowing path traversal to protected locations like `/WEB-INF` or `/META-INF`.
2. Attempts to upload a test JSP file via `HTTP PUT`, then checks if the protection mechanisms can be bypassed to access the uploaded file.
---
### Usage Examples:
**Check if path traversal to protected directories is possible:**
```bash
python3 cve_2025_55752_detector.py http://target:8080 --check
```
**Attempt to upload a JSP file and test access bypass:**
```bash
python3 cve_2025_55752_detector.py http://target:8080
```
🔧 **Customize the filename and payload content:**
```bash
python3 cve_2025_55752_detector.py http://target:8080 --filename exploit.jsp --payload "<% out.println('PWNED'); %>"
```
---
File Snapshot
[4.0K] /data/pocs/990f5345316dc0e7b1dba43c7aeaebc0b2f44940
├── [2.9K] Check_CVE-2025-55752.py
├── [4.2K] README.md
└── [ 57] requirements.txt
1 directory, 3 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →