CVE-2025-66614
February 17, 2026
Improper Input Validation vulnerability.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.
Tomcat did not validate that the host name provided via the SNI
extension was the same as the host name provided in the HTTP host header
field. If Tomcat was configured with more than one virtual host and the
TLS configuration for one of those hosts did not require client
certificate authentication but another one did, it was possible for a
client to bypass the client certificate authentication by sending
different host names in the SNI extension and the HTTP host header field.
The vulnerability only applies if client certificate authentication is
only enforced at the Connector. It does not apply if client certificate
authentication is enforced at the web application.
Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.
Affected Packages
https://github.com/apache/tomcat.git (GITHUB):
Affected version(s) >=10.1.0-M1 <10.1.50Fix Suggestion:
Update to version 10.1.50https://github.com/apache/tomcat.git (GITHUB):
Affected version(s) >=11.0.0-M1 <11.0.15Fix Suggestion:
Update to version 11.0.15https://github.com/apache/tomcat.git (GITHUB):
Affected version(s) >=9.0.0-M1 <9.0.113Fix Suggestion:
Update to version 9.0.113org.apache.tomcat:tomcat-coyote (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.14Fix Suggestion:
Update to version 11.0.14org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.50Fix Suggestion:
Update to version 10.1.50org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.50Fix Suggestion:
Update to version 10.1.50org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=7.0.0 <9.0.113Fix Suggestion:
Update to version 9.0.113org.apache.tomcat:tomcat-coyote (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.50Fix Suggestion:
Update to version 10.1.50org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.15Fix Suggestion:
Update to version 11.0.15org.apache.tomcat:tomcat-coyote (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.113Fix Suggestion:
Update to version 9.0.113org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.50Fix Suggestion:
Update to version 10.1.50org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.15Fix Suggestion:
Update to version 11.0.15org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=7.0.0 <9.0.113Fix Suggestion:
Update to version 9.0.113org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.113Fix Suggestion:
Update to version 9.0.113Related ResourcesĀ (12)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
PRESENT
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
EPSS
Base Score:
0.04
