CVE-2025-49125
Apache Tomcat: Security constraint bypass for pre/post-resourcesAuthentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
We have discovered 6,217 live websites that are affected by CVE-2025-49125.
Affected Software
| Product |  Apache Tomcat |
| Category | Web Servers |
| Vulnerable Domains | 6,217 live websites (100% of Apache Tomcat install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 0 versions ( less than 0.1% of all versions) |
Common Weakness Enumeration
CWE-288 Authentication Bypass Using an Alternate Path or ChannelDetails
- Published - Jun 16, 2025
- Updated - Nov 3, 2025
Credits
- Greg K (https://github.com/gregk4sec) (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-49125 United States | 2,004 websites |
 China | 1,275 websites |
 Germany | 412 websites |
 Italy | 168 websites |
 France | 165 websites |
 Spain | 146 websites |
 India | 131 websites |
 Brazil | 124 websites |
 GB | 113 websites |
Website Distribution by TLD
Number of websites using CVE-2025-49125| .com | 2,619 websites |
| .de | 284 websites |
| .cn | 268 websites |
| .edu | 242 websites |
| .net | 239 websites |
| .org | 206 websites |
| .com.br | 136 websites |
| .it | 135 websites |
| .com.cn | 119 websites |
| .nl | 82 websites |
Websites affected by CVE-2025-49125
Top websites that are affected by CVE-2025-49125. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.***.edu | United States | *** | |
| **************.com | United States | **,*** | |
| **.***.*****.*****.***.com | United States | **,*** | |
| *****.********.com | United States | **,*** | |
| **.******.com | United States | **,*** | |
| **.*****.ad |  Netherlands | **,*** | |
| ****.***.uz |  Uzbekistan | **,*** | |
| ******.com | China | **,*** | |
| *****.*******.com | United States | **,*** | |
| ******.com | Spain | **,*** |
FAQ
CVE-2025-49125 is Authentication Bypass Using an Alternate Path or Channel in Apache Tomcat
A total of 6,217 websites have been identified as vulnerable to CVE-2025-49125, based on global website indexing conducted by WebTechSurvey.
The Apache Tomcat is affected by the CVE-2025-49125 vulnerability.
Apache Tomcat versions up to and including 11.0.7 are vulnerable to CVE-2025-49125.