CVE-2025-66614

CWE-20 — Improper Input Validation CWE-295 — Improper Certificate Validation CWE-1289 CWE-18414 documents9 sources

Severity

9.1CRITICAL

EPSS

0.0%

top 86.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Apache Software Foundation Apache Tomcat

Timeline

PublishedFeb 17

Latest updateApr 9

Description

Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages8 packages

▶NVDapache/tomcat9.0.1 — 9.0.113+5

▶Mavenorg.apache.tomcat:tomcat11.0.0-M1 — 11.0.15+2

▶Mavenorg.apache.tomcat:tomcat-catalina11.0.0-M1 — 11.0.15+2

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core11.0.0-M1 — 11.0.15+2

▶CVEListV5apache_software_foundation/apache_tomcat11.0.15 — 11.0.19+6

🔴Vulnerability Details

GHSA

Apache Tomcat has an Improper Input Validation vulnerability↗2026-04-09

▶

OSV

Apache Tomcat - Client certificate verification bypass↗2026-02-17

▶

GHSA

Apache Tomcat - Client certificate verification bypass↗2026-02-17

▶

CVEList

Apache Tomcat: Client certificate verification bypass due to virtual host mapping↗2026-02-17

▶

OSV

CVE-2025-66614: Improper Input Validation vulnerability↗2026-02-17

▶

📋Vendor Advisories

Red Hat

Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix↗2026-04-09

▶

Red Hat

tomcat: Client certificate verification bypass due to virtual host mapping↗2026-02-17

▶

Debian

CVE-2025-66614: tomcat10 - Improper Input Validation vulnerability. This issue affects Apache Tomcat: from...↗2025

▶

Apache

Apache tomcat: CVE-2025-66614↗

▶

🕵️Threat Intelligence

Wiz

CVE-2025-66614 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-32990 Apache Tomcat: Apache Tomcat: Improper Input Validation vulnerability due to incomplete fix↗2026-04-09

▶

Bugzilla

CVE-2025-66614 tomcat: Client certificate verification bypass due to virtual host mapping [fedora-43]↗2026-02-18

▶

Bugzilla

CVE-2025-66614 tomcat: Client certificate verification bypass due to virtual host mapping [fedora-42]↗2026-02-18

▶