CVE-2025-31651 Information

Description

Improper Neutralization of Escape Meta or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints those constraints could be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5 from 10.1.0-M1 through 10.1.39 from 9.0.0.M1 through 9.0.102.

Users are recommended to upgrade to version [FIXED_VERSION] which fixes the issue.

Reference

http://www.openwall.com/lists/oss-security/2025/04/28/3 https://lists.apache.org/list.html?announce@tomcat.apache.org