Authentication Bypass Using an Alternate Path or Channel

CVE-2025-49125

Medium

6.3/10

Summary

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using `PreResources` or `PostResources` mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat versions 9.0.0.M1 through 9.0.105, 10.1.0-M1 through 10.1.41, and 11.0.0-M1 through 11.0.7.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References

Advisory Timeline

Published Jun 16, 2025

Authentication Bypass Using an Alternate Path or Channel

CVE-2025-49125

Summary

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS