The version of Tomcat installed on the remote host is prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_11.0.8_security-11 advisory.

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The     following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through     8.5.100 and 7.0.95 through 7.0.109. Users are recommended to upgrade to version 11.0.8, 10.1.42 or     9.0.106, which fix the issue. (CVE-2025-49124)

  - Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL     versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,     which fix the issue. (CVE-2025-55668)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be     affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to     upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49125)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected:
    8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to     version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-48988)

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.106. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.106_security-9 advisory.

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The     following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through     8.5.100 and 7.0.95 through 7.0.109. Users are recommended to upgrade to version 11.0.8, 10.1.42 or     9.0.106, which fix the issue. (CVE-2025-49124)

  - Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL     versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,     which fix the issue. (CVE-2025-55668)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be     affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to     upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49125)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected:
    8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to     version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-48988)

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.42. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.42_security-10 advisory.

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The     following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through     8.5.100 and 7.0.95 through 7.0.109. Users are recommended to upgrade to version 11.0.8, 10.1.42 or     9.0.106, which fix the issue. (CVE-2025-49124)

  - Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL     versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,     which fix the issue. (CVE-2025-55668)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be     affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to     upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49125)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected:
    8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to     version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-48988)

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1093 advisory.

    For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat     could lead to a DoS via bypassing of size limits.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from     9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
    (CVE-2025-52520)

    Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge     the initial settings frame that reduces the maximum permitted concurrent streams.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from     9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
    (CVE-2025-53506)

    Session Fixation vulnerability in Apache Tomcat via rewrite valve.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.Older, EOL versions may also be affected.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-55668)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1065 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-49125)

    Session Fixation vulnerability in Apache Tomcat via rewrite valve.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.Older, EOL versions may also be affected.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-55668)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 9.0.106-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2025-020 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-49125)

    Session Fixation vulnerability in Apache Tomcat via rewrite valve.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.Older, EOL versions may also be affected.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-55668)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from     11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL     versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106,     which fix the issue. (CVE-2025-55668)

Note that Nessus relies on the presence of the package as reported by the vendor.

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-986107 advisory.

    Session Fixation vulnerability in Apache Tomcat via rewrite valve.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.
    Older, EOL versions may also be affected.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
240059	Apache Tomcat 11.0.0.M1 < 11.0.8 multiple vulnerabilities	Nessus	Web Servers	6/16/2025	8/15/2025	high
240060	Apache Tomcat 9.0.0.M1 < 9.0.106 multiple vulnerabilities	Nessus	Web Servers	6/16/2025	8/15/2025	high
240058	Apache Tomcat 10.1.0.M1 < 10.1.42 multiple vulnerabilities	Nessus	Web Servers	6/16/2025	8/15/2025	high
243501	Amazon Linux 2023 : tomcat10, tomcat10-admin-webapps, tomcat10-el-5.0-api (ALAS2023-2025-1093)	Nessus	Amazon Linux Local Security Checks	8/4/2025	9/11/2025	high
241733	Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2025-1065)	Nessus	Amazon Linux Local Security Checks	7/10/2025	8/28/2025	high
241736	Amazon Linux 2 : tomcat, --advisory ALAS2TOMCAT9-2025-020 (ALASTOMCAT9-2025-020)	Nessus	Amazon Linux Local Security Checks	7/10/2025	8/28/2025	high
260004	Linux Distros Unpatched Vulnerability : CVE-2025-55668	Nessus	Misc.	8/31/2025	10/8/2025	medium
268953	Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: tomcat (UTSA-2025-986107)	Nessus	Unity Linux Local Security Checks	10/7/2025	10/7/2025	medium

Detections

Analytics

Plugins Search

high

high

high

high

high

high

medium

medium