CVE-2025-24813
📋 TL;DR
This vulnerability in Apache Tomcat allows path traversal attacks via internal dot handling in filenames, potentially leading to remote code execution, information disclosure, or file corruption. It affects Tomcat versions 9.0.0.M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2, with older EOL versions also potentially vulnerable. Exploitation requires specific non-default configurations including write-enabled default servlet and partial PUT support.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution via deserialization attacks when combined with file-based session persistence and vulnerable libraries, allowing complete system compromise.
Likely Case
Information disclosure where attackers can read sensitive files or inject content into uploaded files when specific upload directory configurations exist.
If Mitigated
No impact if default servlet writes are disabled (default configuration) or partial PUT support is disabled.
🎯 Exploit Status
Exploitation requires specific configuration conditions and attacker knowledge of file names. Public technical details and proof-of-concept references exist in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.3, 10.1.35, or 9.0.99
Vendor Advisory: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Restart Required: Yes
Instructions:
1. Download patched version from Apache Tomcat website. 2. Backup current installation. 3. Stop Tomcat service. 4. Replace with patched version. 5. Restart Tomcat service. 6. Verify version update.
🔧 Temporary Workarounds
Disable default servlet writes
allPrevent exploitation by disabling write permissions on the default servlet
Edit web.xml to set readonly parameter to true for DefaultServlet: <init-param><param-name>readonly</param-name><param-value>true</param-value></init-param>
Disable partial PUT support
allRemove partial PUT capability that enables the path traversal
Set allowPartialPut parameter to false in DefaultServlet configuration in web.xml
🧯 If You Can't Patch
- Implement both workarounds: disable default servlet writes AND disable partial PUT support
- Restrict network access to Tomcat instances, implement WAF rules to block PUT requests with suspicious filenames
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version via catalina.sh version or version.bat, and verify if writes are enabled for DefaultServlet in web.xml configurationCheck Version:
./catalina.sh version (Unix) or catalina.bat version (Windows)Verify Fix Applied:
Confirm Tomcat version is 11.0.3+, 10.1.35+, or 9.0.99+ using version command, and verify readonly=true for DefaultServlet📡 Detection & Monitoring
Log Indicators:
- Unusual PUT requests with filenames containing internal dots
- Access to unexpected file paths in access logs
- Errors related to file uploads or session persistence
Network Indicators:
- HTTP PUT requests to Tomcat with filenames containing '..' patterns
- Unusual file upload patterns to sensitive directories
SIEM Query:
source="tomcat_access.log" AND (method="PUT" AND (uri MATCHES ".*\\.\\.*" OR uri MATCHES ".*%2e%2e.*"))🔗 References
- https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
- http://www.openwall.com/lists/oss-security/2025/03/10/5
- https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
- https://security.netapp.com/advisory/ntap-20250321-0001/
- https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
- https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
- https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability
- https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813
