Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

vendor_unpatched cve-2025-49125: Unpatched CVEs for Debian Linux, Ubuntu Linux (cve-2025-49125)

The remote Redhat Enterprise Linux 10 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:11741 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 6.1.1 serves as a replacement for Red Hat JBoss Web Server 6.1.0.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes that are linked to in the References section.

    Security Fix(es):

    * tomcat: Apache Tomcat DoS in multipart upload [jws-6] (CVE-2025-48988)
    * tomcat-catalina: Apache Tomcat: Security constraint bypass for pre/post-resources [jws-6]     (CVE-2025-49125)
    * tomcat: Apache Commons FileUpload DoS via part headers [jws-6] (CVE-2025-48976)
    * jws6-tomcat: Apache Tomcat denial of service [jws-6] (CVE-2025-53506)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Jira Service Management Data Center and Server (Jira Service Desk) running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16308 advisory.

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the     issue. (CVE-2025-49125)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:11695 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 5.8.5 serves as a replacement for Red Hat JBoss Web Server 5.8.4.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes that are linked to in the References section.

    Security Fix(es):

    * tomcat: Apache Tomcat DoS in multipart upload [jws-5] (CVE-2025-48988)
    * tomcat-catalina: Apache Tomcat: Security constraint bypass for pre/post-resources [jws-5]     (CVE-2025-49125)
    * tomcat: Apache Commons FileUpload DoS via part headers [jws-5] (CVE-2025-48976)
    * jws5-tomcat: Apache Tomcat denial of service [jws-5] (CVE-2025-52520)
    * jws5-tomcat: Apache Tomcat denial of service [jws-5] (CVE-2025-52434)
    * jws5-tomcat: Apache Tomcat denial of service [jws-5] (CVE-2025-53506)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4244 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4244-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Markus Koschany     July 22, 2025                                 https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : tomcat9     Version        : 9.0.107-0+deb11u1     CVE ID         : CVE-2024-34750 CVE-2024-54677 CVE-2025-31650 CVE-2025-31651                      CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-49125                      CVE-2025-52434 CVE-2025-52520 CVE-2025-53506

    Several security vulnerabilities have been found in Tomcat 9, a Java web server     and servlet engine. Most notably the update improves the handling of HTTP/2     connections and corrects various flaws which can lead to uncontrolled resource     consumption and a denial of service.

    For Debian 11 bullseye, these problems have been fixed in version     9.0.107-0+deb11u1.

    We recommend that you upgrade your tomcat9 packages.

    For the detailed security status of tomcat9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tomcat9

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2025 CPU advisory.

  - Vulnerability in the Oracle Database component of Oracle Database Server.  Supported versions that     are affected are 19.3-19.27 and  23.4-23.8. Easily exploitable vulnerability allows low privileged     attacker having Create Session, Create Procedure privilege with network access via Oracle Net to     compromise Oracle Database.  Successful attacks of this vulnerability can result in takeover of Oracle     Database. (CVE-2025-30751)

  - Vulnerability in the Java VM component of Oracle Database Server.  Supported versions that are affected     are 19.3-19.27 and  21.3-21.18. Easily exploitable vulnerability allows low privileged attacker having     Create Session, Create Procedure privilege with network access via Oracle Net to compromise Java VM.
    While the vulnerability is in Java VM, attacks may significantly impact additional products (scope change).
    Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete     access to all Java VM accessible data. (CVE-2025-50069)

  - Vulnerability in the Oracle Text (FreeType) component of Oracle Database Server.  Supported versions     that are affected are 19.3-19.27, 21.3-21.18 and  23.4-23.8. Difficult to exploit vulnerability allows     low privileged attacker having Create Session, Create Index privilege with network access via Oracle Net     to compromise Oracle Text (FreeType).  Successful attacks of this vulnerability can result in takeover     of Oracle Text (FreeType). (CVE-2025-27363)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02280-1 advisory.

    - CVE-2025-46701: Fixed refactor CGI servlet to access resources via WebResources (bsc#1243815).
    - CVE-2025-48988: Fixed limits the total number of parts in a multi-part request and limits the size of     the headers provided with each part (bsc#1244656).
    - CVE-2025-49125: Fixed expand checks for webAppMount (bsc#1244649).

    Other bugfixes:

    - Made permissions more secure (bsc#1242722)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1064 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-49125)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 9.0.106-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2025-020 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-49125)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1065 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-49125)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02261-1 advisory.

    - Fixed refactor CGI servlet to access resources via WebResources (bsc#1243815).
    - Fixed limits the total number of parts in a multi-part request and       limits the size of the headers provided with each part (bsc#1244656).
    - Fixed expand checks for webAppMount (bsc#1244649).
    - Hardening permissions (bsc#1242722)

    Update to Tomcat 10.1.42:

      * Fixed CVEs:

        - CVE-2025-46701: refactor CGI servlet to access resources via           WebResources (bsc#1243815)
        - CVE-2025-48988: limits the total number of parts in a           multi-part request and limits the size of           the headers provided with each part (bsc#1244656)
        - CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)

      * Catalina:

        - Add: Support for the java:module namespace which mirrors the           java:comp namespace.
        - Add: Support parsing of multiple path parameters separated by ; in a           single URL segment. Based on pull request #860 by Chenjp.
        - Add: Support for limiting the number of parameters in HTTP requests           through the new ParameterLimitValve. The valve allows configurable           URL-specific limits on the number of parameters.
        - Fix: 69699: Encode redirect URL used by the rewrite valve with the           session id if appropriate, and handle cross context with different           session configuration when using rewrite.
        - Add: #863: Support for comments at the end of lines in text rewrite           map files to align behaviour with Apache httpd. Pull request           provided by Chenjp.
        - Fix: 69706: Saved request serialization issue in FORM introduced           when allowing infinite session timeouts.
        - Fix: Expand the path checks for Pre-Resources and Post-Resources           mounted at a path within the web application.
        - Fix: Use of SSS in SimpleDateFormat pattern for AccessLogValve.
        - Fix: Process possible path parameters rewrite production in the           rewrite valve.
        - Fix: 69588: Enable allowLinking to be set on PreResources,           JarResources and PostResources. If not set explicitly, the setting           will be inherited from the Resources.
        - Add: 69633: Support for Filters using context root mappings.
        - Fix: 69643: Optimize directory listing for large amount of files.
          Patch submitted by Loic de l'Eprevier.
        - Fix: #843: Off by one validation logic for partial PUT ranges and           associated test case. Submitted by Chenjp.
        - Refactor: Replace the unused buffer in           org.apache.catalina.connector.InputBuffer with a static, zero           length buffer.
        - Refactor: GCI servlet to access resources via the WebResource API.
        - Fix: 69662: Report name in exception message when a naming lookup           failure occurs. Based on code submitted by Donald Smith.
        - Fix: Ensure that the FORM authentication attribute           authenticationSessionTimeout works correctly when sessions have an           infinite timeout when authentication starts.
        - Add: Provide a content type based on file extension when web           application resources are accessed via a URL.
      * Coyote
        - Refactor: #861: TaskQueue to use the new interface RetryableQueue           which enables better integration of custom Executors which provide           their own BlockingQueue implementation. Pull request provided by           Paulo Almeida.
        - Add: Finer grained control of multi-part request processing via two           new attributes on the Connector element. maxPartCount limits the           total number of parts in a multi-part request and maxPartHeaderSize           limits the size of the headers provided with each part. Add support           for these new attributes to the ParameterLimitValve.
        - Refactor: The SavedRequestInputFilter so the buffered data is used           directly rather than copied.

      * Jasper:

        + Fix: 69696: Mark the JSP wrapper for reload after a failed           compilation.
        + Fix: 69635: Add support to jakarta.el.ImportHandler for resolving           inner classes.
        + Add: #842: Support for optimized execution of c:set and c:remove           tags, when activated via JSP servlet param           useNonstandardTagOptimizations.
        + Fix: An edge case compilation bug for JSP and tag files on case           insensitive file systems that was exposed by the test case for           69635.

      * Web applications:

        + Fix: 69694: Improve error reporting of deployment tasks done using           the manager webapp when a copy operation fails.
        + Add: 68876: Documentation. Update the UML diagrams for server           start-up, request processing and authentication using PlantUML and           include the source files for each diagram.

      * Other:

        + Add: Thread name to webappClassLoader.stackTraceRequestThread           message. Patch provided by Felix Zhang.
        + Update: Tomcat Native to 2.0.9.
        + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1           (2025-06-05).
        + Update: EasyMock to 5.6.0.
        + Update: Checkstyle to 10.25.0.
        + Fix: Use the full path when the installer for Windows sets calls           icacls.exe to set file permissions.
        + Update: Improvements to Japanese translations provided by tak7iji.
        + Fix: Set sun.io.useCanonCaches in service.bat Based on pull request           #841 by Paul Lodge.
        + Update: Jacoco to 0.8.13.
        + Code: Explicitly set the locale to be used for Javadoc. For           official releases, this locale will be English (US) to support           reproducible builds.
        + Update: Byte Buddy to 1.17.5.
        + Update: Checkstyle to 10.23.1.
        + Update: File extension to media type mappings to align with the           current list used by the Apache Web Server (httpd).
        + Update: Improvements to French translations.
        + Update: Improvements to Japanese translations provided by tak7iji.

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02214-1 advisory.

    - CVE-2025-46701: Refactored CGI servlet to access resources via WebResources (bsc#1243815).
     - CVE-2025-48988: Limited the total number of parts in a multi-part request and limits the size of the     headers provided with each part (bsc#1244656).
     - CVE-2025-49125: Expand checks for webAppMount (bsc#1244649).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the apache package has been released.

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.106, 10.1.0-M1 prior to 10.1.42 or 11.0.0-M1 prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities :

 - When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. (CVE-2025-49125)

 - During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This enabled a side-loading vulnerability. (CVE-2025-49124)

 - Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. (CVE-2025-48988)

 - Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. (CVE-2025-48976)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.106. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.106_security-9 advisory.

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the     issue. (CVE-2025-49125)

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are     recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49124)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_11.0.8_security-11 advisory.

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the     issue. (CVE-2025-49125)

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are     recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49124)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.42. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.42_security-10 advisory.

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the     issue. (CVE-2025-49125)

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are     recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49124)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
243185	RHEL 10 / 8 / 9 : Red Hat JBoss Web Server 6.1.1 (RHSA-2025:11741)	Nessus	Red Hat Local Security Checks	high
242974	Atlassian Jira Service Management Data Center and Server 5.12.x < 5.12.25 / 10.3.x < 10.3.8 / 10.7.x < 10.7.2 (JSDSERVER-16308)	Nessus	Misc.	high
242932	RHEL 7 / 8 / 9 : Red Hat JBoss Web Server 5.8.5 (RHSA-2025:11695)	Nessus	Red Hat Local Security Checks	high
242491	Debian dla-4244 : libtomcat9-embed-java - security update	Nessus	Debian Local Security Checks	high
242296	Oracle Database Server (July 2025 CPU)	Nessus	Databases	high
241962	SUSE SLES15 / openSUSE 15 Security Update : tomcat (SUSE-SU-2025:02280-1)	Nessus	SuSE Local Security Checks	high
241761	Amazon Linux 2023 : tomcat10, tomcat10-admin-webapps, tomcat10-el-5.0-api (ALAS2023-2025-1064)	Nessus	Amazon Linux Local Security Checks	high
241736	Amazon Linux 2 : tomcat (ALASTOMCAT9-2025-020)	Nessus	Amazon Linux Local Security Checks	high
241733	Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2025-1065)	Nessus	Amazon Linux Local Security Checks	high
241675	SUSE SLES15 / openSUSE 15 Security Update : tomcat10 (SUSE-SU-2025:02261-1)	Nessus	SuSE Local Security Checks	high
241342	SUSE SLES12 Security Update : tomcat (SUSE-SU-2025:02214-1)	Nessus	SuSE Local Security Checks	high
241155	Photon OS 4.0: Apache PHSA-2025-4.0-0823	Nessus	PhotonOS Local Security Checks	high
241060	Photon OS 5.0: Apache PHSA-2025-5.0-0537	Nessus	PhotonOS Local Security Checks	high
114888	Apache Tomcat 9.0.0-M1 < 9.0.106 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
114887	Apache Tomcat 10.1.0-M1 < 10.1.42 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
114886	Apache Tomcat 11.0.0-M1 < 11.0.8 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
240060	Apache Tomcat 9.0.0.M1 < 9.0.106 multiple vulnerabilities	Nessus	Web Servers	high
240059	Apache Tomcat 11.0.0.M1 < 11.0.8 multiple vulnerabilities	Nessus	Web Servers	high
240058	Apache Tomcat 10.1.0.M1 < 10.1.42 multiple vulnerabilities	Nessus	Web Servers	high

Detections

Analytics

CVE-2025-49125

medium

Tenable Plugins

Coming Soon

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high