AIKIDO-2026-10192
tomcat-embed-core is vulnerable to Improper Check for Unusual or Exceptional Conditions
98
Critical Risk
This Affects:
tomcat-embed-coreTL;DR
Apache Tomcat contains an unchecked error condition vulnerability in certain Jakarta Authentication (formerly JASPIC) configurations. If Tomcat uses a custom ServerAuthContext implementation that throws an exception during authentication without explicitly setting an HTTP error status, the authentication process may not fail as intended. As a result, a user could potentially bypass authentication. No known Jakarta Authentication components are currently known to exhibit this behavior.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
tomcat-embed-core is vulnerable to Improper Check for Unusual or Exceptional Conditions in versions 11.0.0 - 11.0.0, 10.1.0 - 10.1.29 and 8.5.0 - 9.0.95.
How to fix this
Upgrade Tomcat to any of the patched versions.
Links
CVE Detail
Other
lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928openwall.com/lists/oss-security/2024/11/18/2lists.debian.org/debian-lts-announce/2025/01/msg00009.htmlsecurity.netapp.com/advisory/ntap-20250124-0003/
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant