CVE-2025-55752: High Severity In Tomcat-embed-core

Hey everyone! Let's dive into a critical security issue that has been identified: CVE-2025-55752, a high-severity vulnerability affecting the tomcat-embed-core-10.1.40.jar library. This vulnerability has implications for applications using this component, so it’s super important to understand the details and take action. This article breaks down what you need to know, how it might affect your projects, and what steps you can take to protect your applications.

Vulnerable Library: tomcat-embed-core-10.1.40.jar

First off, let's identify the culprit. The vulnerability lies within tomcat-embed-core-10.1.40.jar, which is a core component of the Apache Tomcat embedded server. For those unfamiliar, Apache Tomcat is a widely-used open-source web server and servlet container. This particular .jar file is crucial for running web applications that rely on Tomcat's functionality.

tomcat-embed-core is a fundamental part of the Tomcat infrastructure, making this vulnerability a significant concern for many Java-based web applications. The library's primary function is to provide the necessary classes and resources to embed a Tomcat server within an application, which is a common practice for Spring Boot applications and other modern Java web frameworks. This means that if your application includes this library, it could potentially be at risk. Knowing exactly which library is affected is the first step in addressing the issue.

This vulnerable library is found in several paths within the hapi-fhir project, specifically in the pom.xml files of the client and server samples. The affected paths include:

• /hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-okhttp/pom.xml
• /hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-server-jersey/pom.xml
• /hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-apache/pom.xml

To confirm if your project is affected, check these pom.xml files for the vulnerable library. If you find it listed as a dependency, it's crucial to take the necessary steps to mitigate the vulnerability.

Dependency Hierarchy

Understanding the dependency hierarchy helps in tracing how the vulnerable library is included in your project. In this case, tomcat-embed-core-10.1.40.jar is brought in through the following chain:

- spring-boot-starter-web-3.3.11.jar (Root Library)
  - spring-boot-starter-tomcat-3.3.11.jar
    - :x: **tomcat-embed-core-10.1.40.jar** (Vulnerable Library)

This means that spring-boot-starter-web, a common dependency in Spring Boot applications, includes spring-boot-starter-tomcat, which in turn includes the vulnerable tomcat-embed-core. This transitive dependency path highlights how easily vulnerabilities can be introduced into a project, even if you're not directly including the vulnerable library. It's essential to review your project's dependencies to identify and address such transitive vulnerabilities.

Commit and Branch Information

This vulnerability was found in the HEAD commit 4d4d8b25d41ea632109b5a3585587d2bf861b5d6 and the base branch master of the hapifhir/hapi-fhir repository. Knowing the specific commit and branch can help developers track the introduction of the vulnerability and understand the context in which it exists. This information is valuable for teams using HAPI FHIR, as it allows them to pinpoint when the vulnerable code was introduced and assess the potential impact on their projects.

Vulnerability Details: Relative Path Traversal

The crux of the issue is a Relative Path Traversal vulnerability. This type of vulnerability occurs when an application doesn't properly validate user-supplied input that's used to construct file paths. In simpler terms, an attacker can manipulate the URL to access files or directories outside of the intended scope. Imagine it like someone using backdoors to get into areas they shouldn't!

Specifically, this vulnerability stems from a regression introduced in the fix for bug 60013 in Apache Tomcat. The rewritten URL was normalized before it was decoded, creating a loophole. For rewrite rules that transform query parameters into the URL, an attacker could craft a request URI to bypass security constraints. This includes the protection mechanisms for sensitive directories like /WEB-INF/ and /META-INF/. These directories are crucial for web application security as they contain configuration files and other sensitive information that should not be publicly accessible.

The Attack Scenario

Let’s break down a potential attack scenario. An attacker could manipulate the request URI to bypass security constraints designed to protect sensitive directories. For instance, they might craft a URL that includes path traversal sequences (like ../) to navigate up the directory structure and access files in /WEB-INF/. This is a classic path traversal attack, and the consequences can be severe.

If PUT requests are enabled, the situation becomes even more critical. An attacker could potentially upload malicious files, leading to remote code execution (RCE). RCE is a nightmare scenario where an attacker can execute arbitrary code on the server, effectively taking control of the system. However, it’s worth noting that PUT requests are typically limited to trusted users, and enabling PUT requests alongside URI manipulation rewrites is considered an unlikely configuration. Despite the lower likelihood, the severity of potential RCE makes this a critical vulnerability.

Affected Versions

This vulnerability affects a wide range of Apache Tomcat versions:

• 11.0.0-M1 through 11.0.10
• 10.1.0-M1 through 10.1.44
• 9.0.0.M11 through 9.0.108

Additionally, older versions that were EOL (End Of Life) at the time the CVE was created are also known to be affected, including versions 8.5.6 through 8.5.100. It's crucial to recognize that using EOL software can expose you to unpatched vulnerabilities, as these versions no longer receive security updates.

Publication and Impact

This vulnerability was published on 2025-10-27, highlighting the need for immediate action. You can find more details about this vulnerability on the Mend vulnerability database here. Staying informed about the publication date and having access to detailed vulnerability databases is key to maintaining a secure application environment. These databases provide critical information, including descriptions, affected versions, and remediation steps.

CVSS 3 Score Details: 7.5 (High Severity)

The Common Vulnerability Scoring System (CVSS) provides a standardized way to assess the severity of vulnerabilities. CVE-2025-55752 has a CVSS 3 base score of 7.5, which is considered High Severity. This score reflects the potential impact and exploitability of the vulnerability.

Base Score Metrics

Let's break down the metrics that contribute to this score:

Exploitability Metrics:

• Attack Vector: Network
  • This means the vulnerability can be exploited over a network, making it remotely exploitable. This significantly increases the risk, as attackers can target the application from anywhere with network access.
• Attack Complexity: High
  • Exploiting this vulnerability requires specialized knowledge or access conditions, meaning it's not a simple, straightforward exploit. However, a high complexity doesn't mean it's impossible to exploit; it just requires more effort and expertise from the attacker.
• Privileges Required: Low
  • An attacker with low privileges can exploit this vulnerability. This means an attacker doesn't need high-level administrative access to carry out an attack, making it easier to exploit.
• User Interaction: None
  • No user interaction is required to exploit this vulnerability. The attacker can exploit the vulnerability without needing to trick a user into performing any actions, such as clicking a link or opening a file.
• Scope: Unchanged
  • An exploitation of this vulnerability will only affect the vulnerable component, not other parts of the system. While the impact is contained, it can still be severe within that component.

Impact Metrics:

• Confidentiality Impact: High
  • There is a high impact on confidentiality, meaning an attacker could gain access to sensitive information. This could include personal data, financial records, or proprietary information.
• Integrity Impact: High
  • The integrity impact is also high, meaning an attacker could modify data or system configurations. This can lead to data corruption, unauthorized changes, or the introduction of malicious content.
• Availability Impact: High
  • This vulnerability has a high impact on availability, meaning an attacker could disrupt the service, making it unavailable to legitimate users. This could result in significant downtime and business disruption.

For a deeper dive into CVSS3 scores, you can check out the CVSS calculator here. Understanding these metrics helps in prioritizing the remediation efforts based on the potential impact and ease of exploitation.

Suggested Fix: Upgrade Your Tomcat Version

The recommended solution to address CVE-2025-55752 is to upgrade your Apache Tomcat version to a patched release. Upgrading is a crucial step in mitigating vulnerabilities, as newer versions often include fixes for known security issues.

Specific Fix Resolutions

Here are the specific versions that include the fix for this vulnerability:

• org.apache.tomcat.embed:tomcat-embed-core: Upgrade to version 10.1.45 or later.
• org.springframework.boot:spring-boot-starter-web: If you're using Spring Boot, upgrade to version 3.4.10 or later. This will ensure that you're using a version of Spring Boot that includes the patched Tomcat version.

Release Date and Origin

The fix was released on 2025-10-27. More information about the fix can be found on the Apache Tomcat mailing lists here. Staying updated on release dates and official announcements is crucial for promptly addressing security concerns.

Steps to Upgrade

1. Identify Your Current Version: Determine the version of tomcat-embed-core your application is currently using. You can find this information in your project's pom.xml file (for Maven projects) or build.gradle file (for Gradle projects).
2. Update Dependencies: Modify your project's dependency management file to specify the fixed version (10.1.45 or later for tomcat-embed-core, or 3.4.10 or later for spring-boot-starter-web).
3. Test Thoroughly: After upgrading, perform thorough testing to ensure your application functions as expected. Pay special attention to areas that handle URL rewriting or file access.
4. Deploy the Updated Application: Once you've confirmed that the upgrade is successful and your application is stable, deploy the updated version to your production environment.

Final Thoughts

Security vulnerabilities like CVE-2025-55752 are a serious concern, but they don't have to be a cause for panic. By understanding the issue, assessing your risk, and taking the recommended steps, you can protect your applications and data. Make sure to stay vigilant about security updates and follow best practices for dependency management.

Step up your Open Source Security Game with Mend here. This resource can provide additional insights and tools to help you manage your open-source security.