CVE-2025-66614

Improper Input Validation vulnerability.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.<br /> <br /> The following versions were EOL at the time the CVE was created but are <br /> known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.<br /> Tomcat did not validate that the host name provided via the SNI <br /> extension was the same as the host name provided in the HTTP host header <br /> field. If Tomcat was configured with more than one virtual host and the <br /> TLS configuration for one of those hosts did not require client <br /> certificate authentication but another one did, it was possible for a <br /> client to bypass the client certificate authentication by sending <br /> different host names in the SNI extension and the HTTP host header field.<br /> <br /> <br /> <br /> The vulnerability only applies if client certificate authentication is <br /> only enforced at the Connector. It does not apply if client certificate <br /> authentication is enforced at the web application.<br /> <br /> <br /> Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.