关联漏洞
标题:Apache Tomcat 安全漏洞 (CVE-2025-55752)Description:Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。用于实现对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat存在安全漏洞,该漏洞源于URL重写规则存在路径遍历问题,可能导致绕过安全限制和远程代码执行。以下版本受到影响:11.0.0-M1版本至11.0.10版本、10.1.0-M1版本至10.1.44版本、9.0.0.M11版本至9.0.108版本和8.5.6版本至8.5.100版本。
Description
CVE-2025-55752, Apache Tomcat that allows directory traversal via URL rewrite, and under certain conditions, leads to remote code execution (RCE) if HTTP PUT is enabled.
介绍
🚨🚨 CVE-2025-55752 — Apache Tomcat: Directory-protection bypass via Rewrite Valve → PUT-based RCE🚨🚨
Summary
CVE-2025-55752 is a security regression in Apache Tomcat introduced while fixing bug #60013. When the Rewrite Valve is used, Tomcat applies *path normalization* before *URL decoding*. This incorrect ordering enables crafted URIs to bypass the access checks implemented in `StandardContextValve.java` for protected paths such as `/WEB-INF/` and `/META-INF/`. If the server accepts HTTP `PUT` requests (or exposes any writable file-upload endpoint), an attacker can upload malicious artifacts (for example `.jsp` or serialized sessions) and achieve remote code execution (RCE).
---
🚨 Affected versions
* Apache Tomcat **11.0.0-M1** through **11.0.10**
* Apache Tomcat **10.1.0-M1** through **10.1.44**
* Apache Tomcat **9.0.0.M11** through **9.0.108**
> Older end-of-life (EOL) Tomcat branches that included the rewrite/normalization change may also be affected. Verify against your specific distribution/vendor build.
---
🚨 Impact
* **Confidentiality / Integrity / Availability:** High — a successful exploit may allow arbitrary file write under the webapp context and lead to remote code execution.
* **Typical targets:** Tomcat installations using the Rewrite Valve or URL rewriting features, especially when HTTP `PUT` (or other write-capable endpoints) is enabled or when webapps permit file uploads without sufficient validation.
* **Attack surface:** Publicly accessible web servers running affected Tomcat versions with writable endpoints or permissive rewrite rules.
---
🚨🚨 Technical details (concise)
1. The Rewrite Valve performs *normalization* (path canonicalization) before *URL decoding*.
2. An attacker crafts a URI that, after normalization but before decoding, bypasses `StandardContextValve` protections for `/WEB-INF/` and `/META-INF/`.
3. If the server accepts `PUT` or has a file-upload endpoint that places files under the webapp document root, the attacker can write `.jsp` or other executable content into a location that the server serves/executed, resulting in RCE.
---
Remediation & defense strategies
Immediate (recommended)
* **Upgrade Tomcat** to a fixed, supported release as soon as possible:
* **11.0.11+**, **10.1.45+**, or **9.0.109+** (or later) — these releases include the fix for the normalization/decoding ordering and related access checks.
If immediate upgrade is not feasible (temporary mitigations)
1. **Disable HTTP `PUT`** at the server, connector, or reverse-proxy level (e.g., via web server config or firewall rules).
2. **Harden / remove Rewrite rules** that allow arbitrary rewriting to writable locations; specifically remove rules that rewrite or forward query parameters into file paths.
3. **Harden file-upload handling** in web applications:
* Enforce server-side file type/extension checks and strict destination path validation.
* Deny uploads that attempt to place files under `/WEB-INF/`, `/META-INF/`, or any application classpath.
4. **Filter/Block exploit URIs** at perimeter (WAF / reverse proxy) by blocking suspicious encoded payloads and patterns that attempt to bypass `/WEB-INF` or `/META-INF` protections.
5. **Least privilege for file stores:** ensure webapp process cannot write to directories that are served or executed by the container.
---
Function Overview
This tool performs two-step detection based on the official CVE-2025-55752 description:
1. Attempts to exploit the incorrect ordering of URL normalization before decoding in Apache Tomcat’s Rewrite Valve, allowing path traversal to protected locations like `/WEB-INF` or `/META-INF`.
2. Attempts to upload a test JSP file via `HTTP PUT`, then checks if the protection mechanisms can be bypassed to access the uploaded file.
---
### Usage Examples:
**Check if path traversal to protected directories is possible:**
```bash
python3 cve_2025_55752_detector.py http://target:8080 --check
```
**Attempt to upload a JSP file and test access bypass:**
```bash
python3 cve_2025_55752_detector.py http://target:8080
```
🔧 **Customize the filename and payload content:**
```bash
python3 cve_2025_55752_detector.py http://target:8080 --filename exploit.jsp --payload "<% out.println('PWNED'); %>"
```
---
文件快照
[4.0K] /data/pocs/990f5345316dc0e7b1dba43c7aeaebc0b2f44940
├── [2.9K] Check_CVE-2025-55752.py
├── [4.2K] README.md
└── [ 57] requirements.txt
1 directory, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。