Tomcat: Path Equivalence leading to remote code execution and information disclosure (CVE-2025-24813) #shorts

Summary

In today's podcast, we delve into a newly discovered vulnerability, CVE-2025-24813, affecting Apache Tomcat. This critical security flaw has been actively exploited in the wild, raising significant concerns in the cybersecurity community. Stay with us as we unpack the details and implications of this threat.

Product details

Apache Tomcat, developed by the Apache Software Foundation, is a popular open-source implementation of the Java Servlet, JavaServer Pages, and other Java-based technologies. It is widely used for deploying and running Java applications across diverse environments, thus making this vulnerability particularly noteworthy given Tomcat's widespread adoption.

Vulnerability type summary

CVE-2025-24813 is characterized as a remote code execution and information disclosure vulnerability, stemming from path equivalence issues and the deserialization of untrusted data. In simpler terms, this flaw can allow attackers to execute arbitrary code and access sensitive information if certain conditions are met.

Details of the vulnerability

The vulnerability affects Apache Tomcat versions from 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2. Exploitation is possible when the default servlet's write permissions are enabled, partial PUT support is active, and specific uploading paths are misconfigured alongside vulnerable application libraries. Attackers leveraging this flaw can execute malicious content and extract sensitive information if they have knowledge of relevant file paths.

Conclusion

As always, we advise users and administrators of Apache Tomcat to immediately upgrade to versions 11.0.3, 10.1.35, or 9.0.99 to mitigate this threat. Staying informed and proactive about updates is key in preserving the security integrity of your systems. Thank you for joining us on this cybersecurity briefing, and stay safe out there!

Watch the full video on YouTube: CVE-2025-24813

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-24813
Description
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Provider
apache
CWE / problem types
CWE-44 Path Equivalence: 'file.name' (Internal Dot),CWE-502 Deserialization of Untrusted Data
Affected Software Versions
Apache Software Foundation:Apache Tomcat:[{'lessThanOrEqual': '11.0.2', 'status': 'affected', 'version': '11.0.0-M1', 'versionType': 'semver'}, {'lessThanOrEqual': '10.1.34', 'status': 'affected', 'version': '10.1.0-M1', 'versionType': 'semver'}, {'lessThanOrEqual': '9.0.98', 'status': 'affected', 'version': '9.0.0.M1', 'versionType': 'semver'}]
Date Published
2025-03-10T16:44:03.715Z
Last Updated
2025-04-02T22:03:17.999Z