Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
When Apache Tomcat uses a custom ServerAuthContext component as part of Jakarta Authentication (formerly JASPIC), and the component throws an exception during the authentication process without explicitly setting an HTTP response code signaling failure, the server may incorrectly consider the authentication as successfully completed. This is an error of category CWE-391 (Unchecked Error Condition) and CWE-754 (Improper Check for Unusual Exceptional Conditions) — the application does not properly verify the error state and continues processing the request as if the user were authenticated. Apache indicates that no standard Jakarta Authentication components are known to exhibit such behavior, which limits the vulnerability scope to environments using custom implementations.
An attacker can bypass the authentication mechanism and gain unauthorized access to protected application resources, which may lead to violations of confidentiality, integrity, and availability of data processed by the server.
Apache Tomcat should be updated to version 11.0.0, 10.1.31 or 9.0.96, which contain the fix. Version 8.5.x is marked as EOL and will not receive an official patch — migration to a supported branch is recommended. As a workaround, consider replacing or removing the custom JASPIC ServerAuthContext component that does not explicitly handle HTTP error codes during exceptions.
Apache Tomcat in versions: 11.0.0-M1 through 11.0.0-M26, 10.1.0-M1 through 10.1.30, 9.0.0-M1 through 9.0.95. EOL versions: 8.5.0 through 8.5.100 (and potentially other EOL versions). The vulnerability affects only configurations using a custom JASPIC ServerAuthContext component. It also affects Debian Linux (Apache Tomcat packages).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Tomcat
APPApache11.0.09.0.0 – 9.0.96 (bez)10.1.0 – 10.1.31 (bez)Debian
OSDebian11.0
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki