| Name | CVE-2025-66614 |
| Description | Improper Input Validation vulnerability. This issue affects Apache To ... |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-6120-1, DSA-6121-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| tomcat10 (PTS) | bookworm | 10.1.34-0+deb12u2 | vulnerable |
| bookworm (security) | 10.1.52-1~deb12u1 | fixed |
| trixie | 10.1.40-1 | vulnerable |
| trixie (security) | 10.1.52-1~deb13u1 | fixed |
| forky, sid | 10.1.52-1 | fixed |
| tomcat11 (PTS) | trixie | 11.0.6-1 | vulnerable |
| trixie (security) | 11.0.15-1~deb13u1 | fixed |
| forky, sid | 11.0.18-1 | fixed |
| tomcat9 (PTS) | bullseye | 9.0.43-2~deb11u10 | vulnerable |
| bullseye (security) | 9.0.107-0+deb11u2 | fixed |
| bookworm | 9.0.70-2 | fixed |
| trixie | 9.0.95-1 | fixed |
| forky, sid | 9.0.115-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
Fixed by: https://github.com/apache/tomcat/commit/258a591b61f8cf5c22109e21e5a2a38b63454fd2 (11.0.15)
Fixed by: https://github.com/apache/tomcat/commit/972f9a5e2a07674d92610c478aac1b205d60724e (10.1.50)
Fixed by: https://github.com/apache/tomcat/commit/5053fa82a1b2b52756810601227984a8b71888a4 (10.1.50)
Fixed by: https://github.com/apache/tomcat/commit/152c14885d45f5e0a8b59bd9f93c289cfe20ce30 (9.0.113)
Fixed by: https://github.com/apache/tomcat/commit/a4aa74232e826028cd2f7ba0445caf8a8b52c509 (9.0.113)
Fixed by: https://github.com/apache/tomcat/commit/9276b5e783c8cd5b3fe2bb716306b65004bdd940 (9.0.113)