A new security vulnerability has been discovered in Apache Tomcat’s CGI servlet implementation that could allow attackers to bypass configured security constraints under specific conditions.

The vulnerability, designated CVE-2025-46701, was disclosed on May 29, 2025, and affects multiple versions of the popular Java application server.