System administrators and security practitioners are being urged to respond to a recently disclosed high severity vulnerability (CVE-2025-46701) in the Apache Tomcat Common Gateway Interface (CGI) Servlet.
Announced by the Apache Software Foundation, this vulnerability could be exploited by attackers to bypass certain security restrictions and access restricted CGI.
The issue is due to case sensitivity of the pathInfo portion of URLs being improperly handled by URLs which are mapped to the CGI servlet.
In Apache Tomcat on Windows or macOS with case insensitive file systems that are not case preserving, applications deployed on a case sensitive file system (e.g. the NTFS file system) are unable to properly protect the application’s WEB-INF/web-resources directory because a case-sensitive check does not correctly identify the mismatch between the web request path and the file system path.
Attackers can change the case of characters in the URL path to gain unauthorized access to CGI scripts as well as other scripts, despite the intended protection afforded by the script case sensitivity configuration.
Although the Apache Software Foundation has rated this issue as “low importance”, since it can be used to bypass existing security controls, this is a serious problem for organizations where access restrictions are necessary for certain requests to CGI-based applications.
It is important to mention that the CGI servlet is not enabled by default, in any Apache Tomcat release. Thus, they are not at risk (of course) if CGI support has not been activated for them. And that includes heritage configurations or certain development patterns.
Affected versions vary: Apache Tomcat 11.0.0-M1 to 11.0.6, 10.1.0-M1 to 10.1.40, and 9.0.0-M1 to 9.0.104.
Immediate Action Recommended:
The Apache Software Foundation has immediately provided fixed software for this vulnerability. System administrators are urged to immediately update their current Apache Tomcat installations to the following releases:
Apache Tomcat 11.0.7
Apache Tomcat 10.1.41
Apache Tomcat 9.0.105
For companies not utilizing CGI functionality, this means the CGI servlet must be disabled in their Tomcat configuration. This elementary stage already minimises the area of attack. Moreover, detailed examination of web. xml save as attributes xml – Set this to true to ensure that compatibility for the node is enforced, regardless of the following option.
Regular security checks and vendor recommendations are applicable security best practices that you should take the time and the effort to properly protect your Apache Tomcat installation.
