## Apache Tomcat Security Flaw: Pre/Post-Resources Vulnerability Bypasses Authentication (CVE-2025-49125)
A newly disclosed vulnerability in Apache Tomcat allows attackers to bypass critical security constraints, potentially gaining unauthorized access to protected server resources. The flaw, tracked as CVE-2025-49125 (GHSA-wc4r-xq3c-5cf3), is an authentication bypass issue that stems from how the software handles PreResources and PostResources. When these resources are mounted at a location other than the web application's root, they can be accessed via an unexpected, unsecured path, circumventing the intended security controls.

The vulnerability is classified as a CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries a MODERATE severity rating. It impacts a wide range of Tomcat versions, including all releases from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, and from 9.0.0.M1 onward. This broad scope places countless Java web applications at risk if they utilize the affected `org.apache.tomcat.embed:tomcat-embed-core` component, version 10.1.20 being one specific instance.

The discovery signals a critical need for immediate patching and configuration review for development and security teams. The flaw's nature means that resources assumed to be protected by authentication or authorization rules could be exposed. Organizations running vulnerable versions must apply the relevant Tomcat updates to close this security gap and prevent potential exploitation that could lead to data exposure or further system compromise.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Apache Tomcat, CVE-2025-49125, Authentication Bypass, Java Security, Vulnerability Disclosure
- **Credibility**: unverified
- **Published**: 2026-04-14 02:22:26
- **ID**: 62931
- **URL**: https://whisperx.ai/en/intel/62931