Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
| Vendor | Product | Versions |
|---|---|---|
| apache | tomcat | maven/org.apache.tomcat:tomcat: >= 9.0.113, < 9.0.116, maven/org.apache.tomcat:tomcat: >= 10.1.50, < 10.1.53, maven/org.apache.tomcat.embed:tomcat-embed-core: >= 9.0.113, < 9.0.116, maven/org.apache.tomcat.embed:tomcat-embed-core: >= 10.1.50, < 10.1.53, maven/org.apache.tomcat.embed:tomcat-embed-core: >= 11.0.15, < 11.0.20, maven/org.apache.tomcat:tomcat-coyote: >= 9.0.113, < 9.0.116, maven/org.apache.tomcat:tomcat-coyote: >= 10.1.50, < 10.1.53, maven/org.apache.tomcat:tomcat-coyote: >= 11.0.15, <= 11.0.18, maven/org.apache.tomcat:tomcat: >= 11.0.15, <= 11.0.18 |
Downstream vendors/products affected by this vulnerability
| Vendor | Product | Source | Confidence |
|---|---|---|---|
| apache | tomcat | cert_advisory | 90% |
| maven | org.apache.tomcat:tomcat-catalina | GHSA | 85% |
| maven | org.apache.tomcat:tomcat | GHSA | 85% |
| maven | org.apache.tomcat.embed:tomcat-embed-core | GHSA | 85% |
| maven | org.apache.tomcat:tomcat-coyote | GHSA | 85% |
Updated severity to CRITICAL and noted that no exploit is available.
Initial creation
