Tomcat Update 9.0.109 (MINDBREEZE34929)

ID: MINDBREEZE34929 
Affected Components: Mindbreeze InSpire, Mindbreeze InSpire SaaS 
Severity: 9.8 Critical 
Status: Final 
First published: December 12, 2025 
CVEs: CVE-2025-31651, CVE-2025-24813, CVE-2025-31650, CVE-2025-48988, CVE-2025-49125, CVE-2025-53506, CVE-2025-52520, CVE-2025-52434, CVE-2025-48989, CVE-2025-55668 

Summary 

  • CVE-2025-31651: Apache Tomcat is vulnerable to a rewrite rule bypass in specially crafted requests under unlikely configurations, potentially evading security constraints
  • CVE-2025-24813: A path equivalence flaw in Apache Tomcat's Default Servlet enables remote code execution, information disclosure, or malicious content injection via uploaded files
  • CVE-2025-31650: Improper input validation in Apache Tomcat's HTTP priority headers causes memory leaks from failed requests, potentially leading to denial-of-service via OutOfMemoryException
  • CVE-2025-48988: Apache Tomcat suffers from resource allocation without limits or throttling, enabling potential exhaustion attacks
  • CVE-2025-49125: An authentication bypass in Apache Tomcat allows access to PreResources or PostResources via unexpected paths when not mounted at the web app root
  • CVE-2025-53506: Uncontrolled resource consumption in Apache Tomcat occurs if HTTP/2 clients ignore initial settings frames limiting concurrent streams
  • CVE-2025-52520: An integer overflow in Apache Tomcat's multipart upload handling bypasses size limits under unlikely configurations, causing denial-of-service
  • CVE-2025-52434: A race condition in Apache Tomcat's APR/Native connector during HTTP/2 connection closes leads to improper synchronization and potential issues
  • CVE-2025-48989: Improper resource shutdown in Apache Tomcat enables a "made you reset" denial-of-service attack
  • CVE-2025-55668: A session fixation vulnerability in Apache Tomcat's rewrite valve affects session security 

 

Hotfix Information 

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: 

  • Mindbreeze InSpire 25.7 Release
  • Mindbreeze InSpire SaaS 25.7 Release