Apache Tomcat Security Constraint Bypass via HTTP/0.9 Protocol Manipulation

A critical improper input validation vulnerability in Apache Tomcat enables attackers to bypass configured security constraints by exploiting how the server handles HTTP/0.9 requests. The flaw specifically targets deployments where security rules permit HEAD requests but deny GET requests to protected URIs. By sending a malformed HEAD request using the HTTP/0.9 protocol variant—which predates explicit method specification in the protocol—attackers can circumvent the intended access restrictions without triggering the configured denial logic.

The vulnerability stems from Tomcat's failure to enforce method restrictions on HTTP/0.9 requests, creating a protocol-level blind spot in access control enforcement. Security constraints relying on method-based access control are rendered ineffective when the request arrives via the legacy protocol format. This affects Tomcat versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.49, and 9.0.0.M1 through 9.0.112, with all end-of-life branches also impacted.

The recommended remediation involves upgrading to Tomcat 11.0.15, 10.1.50, or 9.0.113. For embedded deployments using tomcat-embed-core, the fix requires updating org.apache.tomcat.embed:tomcat-embed-core from 10.1.43 to the patched release corresponding to the active major version. Organizations running affected Tomcat instances should prioritize patching, particularly those with security constraints that differentiate between HEAD and GET access to sensitive endpoints.