Is API Gateway impacted by the Tomcat vulnerability CVE-2025-31651 reported by Red Hat Advanced Cluster Security on the latest Container API Gateway 11.1.2. ?

Gateway is not using the specific code mentioned in CVE-2025-31651.

In Tomcat, URL rewriting is handled via the org.apache.catalina.valves.rewrite.RewriteValve class, which relies on a rewrite.config file to define the rewrite rules. 

We do not offer the ability for customers to specify rewrite rules - especially for access enforcement in which Redhat says it would be a bad practice anyways

https://access.redhat.com/security/cve/cve-2025-31651

We are planning to upgrade Tomcat to 10.1.41 in v11.2.0 (ETA end of October) based on the description the CVE is resolved in that version.