CVE-2025-66614: Apache Tomcat - Client certificate verification bypass due to virtual host mapping Severity: Moderate Vendor: The Apache Software Foundation Affected Versions: - Apache Tomcat 11.0.0-M1 to 11.0.14 - Apache Tomcat 10.1.0-M1 to 10.1.49 - Apache Tomcat 9.0.0-M1 to 9.0.112 - Older, EOL versions may also be affected Description: Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Mitigation: Users of the affected versions should apply one of the following mitigations: Upgrade to Apache Tomcat 11.0.15 or later Upgrade to Apache Tomcat 10.1.50 or later Upgrade to Apache Tomcat 9.0.113 or later Credit: An external security researcher History: 2026-02-17 Original advisory References: 1. https://tomcat.apache.org/security-11.html 2. https://tomcat.apache.org/security-10.html 3. https://tomcat.apache.org/security-9.html