## https://sploitus.com/exploit?id=FD20EAFD-791A-5331-92C9-0F3DA25AF8D2
π¨π¨ CVE-2025-55752 β Apache Tomcat: Directory-protection bypass via Rewrite Valve β PUT-based RCEπ¨π¨
Summary
CVE-2025-55752 is a security regression in Apache Tomcat introduced while fixing bug #60013. When the Rewrite Valve is used, Tomcat applies *path normalization* before *URL decoding*. This incorrect ordering enables crafted URIs to bypass the access checks implemented in `StandardContextValve.java` for protected paths such as `/WEB-INF/` and `/META-INF/`. If the server accepts HTTP `PUT` requests (or exposes any writable file-upload endpoint), an attacker can upload malicious artifacts (for example `.jsp` or serialized sessions) and achieve remote code execution (RCE).
---
π¨ Affected versions
* Apache Tomcat **11.0.0-M1** through **11.0.10**
* Apache Tomcat **10.1.0-M1** through **10.1.44**
* Apache Tomcat **9.0.0.M11** through **9.0.108**
> Older end-of-life (EOL) Tomcat branches that included the rewrite/normalization change may also be affected. Verify against your specific distribution/vendor build.
---
π¨ Impact
* **Confidentiality / Integrity / Availability:** High β a successful exploit may allow arbitrary file write under the webapp context and lead to remote code execution.
* **Typical targets:** Tomcat installations using the Rewrite Valve or URL rewriting features, especially when HTTP `PUT` (or other write-capable endpoints) is enabled or when webapps permit file uploads without sufficient validation.
* **Attack surface:** Publicly accessible web servers running affected Tomcat versions with writable endpoints or permissive rewrite rules.
---
π¨π¨ Technical details (concise)
1. The Rewrite Valve performs *normalization* (path canonicalization) before *URL decoding*.
2. An attacker crafts a URI that, after normalization but before decoding, bypasses `StandardContextValve` protections for `/WEB-INF/` and `/META-INF/`.
3. If the server accepts `PUT` or has a file-upload endpoint that places files under the webapp document root, the attacker can write `.jsp` or other executable content into a location that the server serves/executed, resulting in RCE.
---
Remediation & defense strategies
Immediate (recommended)
* **Upgrade Tomcat** to a fixed, supported release as soon as possible:
* **11.0.11+**, **10.1.45+**, or **9.0.109+** (or later) β these releases include the fix for the normalization/decoding ordering and related access checks.
If immediate upgrade is not feasible (temporary mitigations)
1. **Disable HTTP `PUT`** at the server, connector, or reverse-proxy level (e.g., via web server config or firewall rules).
2. **Harden / remove Rewrite rules** that allow arbitrary rewriting to writable locations; specifically remove rules that rewrite or forward query parameters into file paths.
3. **Harden file-upload handling** in web applications:
* Enforce server-side file type/extension checks and strict destination path validation.
* Deny uploads that attempt to place files under `/WEB-INF/`, `/META-INF/`, or any application classpath.
4. **Filter/Block exploit URIs** at perimeter (WAF / reverse proxy) by blocking suspicious encoded payloads and patterns that attempt to bypass `/WEB-INF` or `/META-INF` protections.
5. **Least privilege for file stores:** ensure webapp process cannot write to directories that are served or executed by the container.
Hereβs the English version of your description:
---
Function Overview
This tool performs two-step detection based on the official CVE-2025-55752 description:
1. Attempts to exploit the incorrect ordering of URL normalization before decoding in Apache Tomcatβs Rewrite Valve, allowing path traversal to protected locations like `/WEB-INF` or `/META-INF`.
2. Attempts to upload a test JSP file via `HTTP PUT`, then checks if the protection mechanisms can be bypassed to access the uploaded file.
---
### Usage Examples:
**Check if path traversal to protected directories is possible:**
```bash
python3 cve_2025_55752_detector.py http://target:8080 --check
```
**Attempt to upload a JSP file and test access bypass:**
```bash
python3 cve_2025_55752_detector.py http://target:8080
```
π§ **Customize the filename and payload content:**
```bash
python3 cve_2025_55752_detector.py http://target:8080 --filename exploit.jsp --payload ""
```
---