CVE-2025-66614 Apache Tomcat - Client certificate verification bypass
due to virtual host mapping
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.14
Apache Tomcat 10.1.0-M1 to 10.1.49
Apache Tomcat 9.0.0.M1 to 9.0.112
Older, EOL versions may also be affected
Description:
Tomcat did not validate that the host name provided via the SNI
extension was the same as the host name provided in the HTTP host header
field. If Tomcat was configured with more than one virtual host and the
TLS configuration for one of those hosts did not require client
certificate authentication but another one did, it was possible for a
client to bypass the client certificate authentication by sending
different host names in the SNI extension and the HTTP host header field.
The vulnerability only applies if client certificate authentication is
only enforced at the Connector. It does not apply if client certificate
authentication is enforced at the web application.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.15 or later
- Upgrade to Apache Tomcat 10.1.50 or later
- Upgrade to Apache Tomcat 9.0.113 or later
Credit:
An external security researcher
History:
2026-02-17 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
