CVE-2025-31650 and Lucee

dev support
1

Will there be an update to Lucee (specifically embedded Tomcat) to address this Tomcat vulnerability: CVE-2025-31650?

https://nvd.nist.gov/vuln/detail/cve-2025-31650

2

This is how I update Tomcat on Windows.

  1. Download the core Tomcat 11 in ZIP format from Apache Tomcat® - Apache Tomcat 11 Software Downloads

  2. Stop the Lucee service

  3. Copy the contents of C:\Lucee\tomcat\lib folder to a backup

  4. Copy the contents of C:\Lucee\tomcat\bin folder to a backup

  5. Unzip the contents on the corresponding lib folder into C:\Lucee\tomcat\lib folder.

  6. Unzip the contents on the corresponding bin folder into C:\Lucee\tomcat\bin folder.

  7. Restart the Lucee service

image
image749×156 4.93 KB

3

That vulnerability was published six months ago and indicates that the issue was resolved in Tomcat 11.0.6. Lucee is currently bundled with Tomcat 11.0.9.

1 Like