A high-severity path traversal vulnerability has been discovered in Apache Tomcat, identified as CVE-2025-55752. This flaw could allow an unauthenticated remote attacker to access sensitive files on the server by manipulating URL paths. Successful exploitation could lead to unauthorized disclosure of confidential information, such as configuration files, source code, or credentials, posing a significant risk to data confidentiality and system integrity.

This vulnerability is a Relative Path Traversal (also known as Directory Traversal). It exists because the application fails to properly sanitize user-supplied input for directory traversal sequences (e.g., ../). An unauthenticated remote attacker can exploit this by crafting a malicious HTTP request with specially formatted path information. This tricks the application into navigating outside of the intended web root directory, granting the attacker read access to arbitrary files and directories on the underlying server filesystem, limited by the permissions of the Tomcat service account.

With a CVSS score of 7.5, this vulnerability is rated as High severity. Exploitation could lead to significant business harm, including the unauthorized disclosure of sensitive data. Attackers could potentially access application source code, database credentials, system configuration files, or private user data. This could result in a data breach, theft of intellectual property, regulatory penalties for non-compliance, and severe reputational damage. The exposed information could also be used to facilitate further, more complex attacks against the organization's infrastructure.

Immediate Action: The primary remediation is to apply the security updates provided by the Apache Software Foundation to all affected Tomcat instances immediately. After patching, it is crucial to monitor system and application logs for any signs of attempted or successful exploitation that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor web server access logs for suspicious requests containing directory traversal sequences, such as ../, ..%2f, %2e%2e/, and their encoded variants. Monitor for unusual file access patterns on the server, especially attempts to access files outside of the standard web directories (e.g., /etc/passwd, C:\Windows\win.ini).

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attack patterns in HTTP requests.
• Ensure the Tomcat service runs with a dedicated, low-privilege user account with a strictly enforced, minimal set of file system permissions.
• Implement strict file system access control lists (ACLs) to prevent the Tomcat process from reading sensitive directories and files.

Public Exploit Available: false

Given the high severity of this vulnerability and the widespread deployment of Apache Tomcat, we strongly recommend that all vulnerable instances be patched on an emergency basis. Although there is no evidence of active exploitation at this time, the risk of future exploitation is high. Organizations should prioritize the application of vendor-supplied security updates to prevent potential data breaches and system compromise. If patching is delayed, implement the recommended compensating controls immediately to reduce the attack surface.