Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2025-24813
Back to All
CVE

CVE-2025-24813

Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

Description

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

- writes enabled for the default servlet (disabled by default)

  • support for partial PUT (enabled by default)
  • a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads

- attacker knowledge of the names of security sensitive files being uploaded

- the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

  • writes enabled for the default servlet (disabled by default)

- support for partial PUT (enabled by default)

- application was using Tomcat's file based session persistence with the default storage location

- application included a library that may be leveraged in a deserialization attack

Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Base CVSS

8.8

EPSS Score

93.63%

Introduced Version

6.0.13

Fix Available

11.0.3,10.1.35,9.0.99

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
org.apache.tomcat.embed:tomcat-embed-core
11.0.2
CVES Fixed
C
0
H
1
M
0
L
0
Code Changed
+7
-7

References

https://security.netapp.com/advisory/ntap-20250321-0001
https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
https://github.com/apache/tomcat
https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
http://www.openwall.com/lists/oss-security/2025/03/10/5
https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
https://nvd.nist.gov/vuln/detail/CVE-2025-24813
https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.
brightness-increase
moon-01