Apache Tomcat CGI Servlet Security Flaw Exposes PathInfo Bypass Risk (CVE-2025-46701)

A newly disclosed vulnerability in Apache Tomcat's CGI servlet could allow attackers to bypass critical security constraints. Tracked as CVE-2025-46701 (GHSA-h2fw-rfh5-95r3), the flaw stems from improper handling of case sensitivity in the pathInfo component of a URI mapped to the servlet. This weakness creates a potential avenue for circumventing access controls and other security rules defined for CGI-executed resources.

The vulnerability is present across a wide range of Tomcat versions, including the actively supported branches. It affects Apache Tomcat from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, and from 9.0.0.M1 through 9.0.104. Notably, versions that were already End-of-Life (EOL) at the time of the CVE's creation, specifically 8.5.0 through 8.5.100, are also confirmed to be affected, with older EOL versions potentially vulnerable as well. The flaw is classified under CWE-178 (Improper Handling of Case Sensitivity) and has been assigned a LOW severity rating.

While the immediate risk is assessed as low, the vulnerability's nature—bypassing security constraints—places a direct burden on administrators of affected systems. The primary mitigation is an immediate upgrade to patched versions. Organizations running Tomcat for CGI functionality must prioritize applying the official updates to close this security gap and prevent potential exploitation that could undermine their application's access control mechanisms.