Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible \nfor a specially crafted request to bypass some rewrite rules. If those \nrewrite rules effectively enforced security constraints, those \nconstraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
The following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
"}],"value":"Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible \nfor a specially crafted request to bypass some rewrite rules. If those \nrewrite rules effectively enforced security constraints, those \nconstraints could be bypassed.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\n\n\nUsers are recommended to upgrade to version [FIXED_VERSION], which fixes the issue."}],"metrics":[{"other":{"content":{"text":"low"},"type":"Textual description of severity"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-116","description":"CWE-116 Improper Encoding or Escaping of Output","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache","dateUpdated":"2025-10-29T11:46:27.496Z"},"references":[{"tags":["vendor-advisory"],"url":"https://lists.apache.org/list.html?announce@tomcat.apache.org"}],"source":{"discovery":"EXTERNAL"},"title":"Apache Tomcat: Bypass of rules in Rewrite Valve","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2025/04/28/3"},{"url":"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T19:53:12.871Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.8,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"id":"CVE-2025-31651","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2025-07-30T03:55:44.862157Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T18:27:59.801Z"}}]}}