Includes some bug fixes as well as some important security updates.
Here are the Apache Tomcat vulnerabilities fixed in 22.0.5:
CVE-2025-31650 - Important: Denial of Service via invalid HTTP priority header
CVE-2025-55752 - Important: Directory traversal via Rewrite Valve with possible remote code execution if PUT is enabled
CVE-2025-55754 - Low: Console manipulation via escape sequences in log messages
CVE-2025-61795 - Low: Delayed cleaning of multipart upload temporary files may lead to DoS
2 Likes
There appear to be some questions being raised as to whether all the vulnerabilities were fixed or not:
Following recent communications with Apple, it has been confirmed that, despite previous statements, only some of the issues were actually fixed, while others remain open.
While your OFFICIAL release notes publicly stated that these vulnerabilities were fixed, in reality, only some issues were addressed, and others remain open. This discrepancy is concerning, as it creates a false sense of security for users. Your release indicates that vulnerabilities were addressed, yet CRITICAL components remain exposed, posing a serious risk.
I encourage to clarify the current status of these issues. If no clear clarification is provided, I will consider publishing the full technical details in the interest of transparency and responsible disclosure.
3 Likes
I’m also concerned by the ongoing issue where Apple appears to be reluctant to give credit and bounties to researchers. I don’t do that kind of work, but, like all of us, I rely on the results they provide: stronger products. If Apple keeps giving security researchers the impression that they will be cheated, they might decline to help improve Apple products. Or, it could encourage those with less scruples to shop the vulnerabilities around. That’s all bad for those of us who rely on Apple product security.
3 Likes
Thanks for bringing that thread to our attention.
Go ahead and publish the details (!) …. unless you’re under some kind of NDA or otherwise prohibited.
This warning comes from someone else, see the link above.