CVE-2025-24813

Path Equivalence: 'file.Name' (Internal Dot) leading toRemote Code Execution and/or Information disclosureand/or malicious content added to uploaded files via write enabledDefault Servletin Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.

If all of the following were true, a malicious user was able to view       security sensitive files and/or inject content into those files:
-writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory ofa target URL for public uploads
-attacker knowledge of the names of security sensitive files beinguploaded
-the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to       perform remote code execution:
- writes enabled for the default servlet (disabled by default)
-support for partial PUT (enabled by default)
-application was using Tomcat's file based session persistence with thedefault storage location
-application included a library that may be leveraged in adeserialization attack

Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Internal Dot
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
apachetomcat
9.0.1 ≤
𝑥
< 9.0.99
apachetomcat
10.1.1 ≤
𝑥
< 10.1.35
apachetomcat
11.0.1 ≤
𝑥
< 11.0.3
apachetomcat
9.0.0:milestone1
apachetomcat
9.0.0:milestone10
apachetomcat
9.0.0:milestone11
apachetomcat
9.0.0:milestone12
apachetomcat
9.0.0:milestone13
apachetomcat
9.0.0:milestone14
apachetomcat
9.0.0:milestone15
apachetomcat
9.0.0:milestone16
apachetomcat
9.0.0:milestone17
apachetomcat
9.0.0:milestone18
apachetomcat
9.0.0:milestone19
apachetomcat
9.0.0:milestone2
apachetomcat
9.0.0:milestone20
apachetomcat
9.0.0:milestone21
apachetomcat
9.0.0:milestone22
apachetomcat
9.0.0:milestone23
apachetomcat
9.0.0:milestone24
apachetomcat
9.0.0:milestone25
apachetomcat
9.0.0:milestone26
apachetomcat
9.0.0:milestone27
apachetomcat
9.0.0:milestone3
apachetomcat
9.0.0:milestone4
apachetomcat
9.0.0:milestone5
apachetomcat
9.0.0:milestone6
apachetomcat
9.0.0:milestone7
apachetomcat
9.0.0:milestone8
apachetomcat
9.0.0:milestone9
apachetomcat
10.1.0:milestone1
apachetomcat
10.1.0:milestone10
apachetomcat
10.1.0:milestone11
apachetomcat
10.1.0:milestone12
apachetomcat
10.1.0:milestone13
apachetomcat
10.1.0:milestone14
apachetomcat
10.1.0:milestone15
apachetomcat
10.1.0:milestone16
apachetomcat
10.1.0:milestone17
apachetomcat
10.1.0:milestone18
apachetomcat
10.1.0:milestone19
apachetomcat
10.1.0:milestone2
apachetomcat
10.1.0:milestone20
apachetomcat
10.1.0:milestone3
apachetomcat
10.1.0:milestone4
apachetomcat
10.1.0:milestone5
apachetomcat
10.1.0:milestone6
apachetomcat
10.1.0:milestone7
apachetomcat
10.1.0:milestone8
apachetomcat
10.1.0:milestone9
apachetomcat
11.0.0:milestone1
apachetomcat
11.0.0:milestone10
apachetomcat
11.0.0:milestone11
apachetomcat
11.0.0:milestone12
apachetomcat
11.0.0:milestone13
apachetomcat
11.0.0:milestone14
apachetomcat
11.0.0:milestone15
apachetomcat
11.0.0:milestone16
apachetomcat
11.0.0:milestone17
apachetomcat
11.0.0:milestone18
apachetomcat
11.0.0:milestone19
apachetomcat
11.0.0:milestone2
apachetomcat
11.0.0:milestone20
apachetomcat
11.0.0:milestone21
apachetomcat
11.0.0:milestone22
apachetomcat
11.0.0:milestone23
apachetomcat
11.0.0:milestone24
apachetomcat
11.0.0:milestone25
apachetomcat
11.0.0:milestone3
apachetomcat
11.0.0:milestone4
apachetomcat
11.0.0:milestone5
apachetomcat
11.0.0:milestone6
apachetomcat
11.0.0:milestone7
apachetomcat
11.0.0:milestone8
apachetomcat
11.0.0:milestone9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat10
bookworm
vulnerable
bookworm (security)
vulnerable
sid
10.1.35-1
fixed
trixie
10.1.35-1
fixed
tomcat9
bullseye
vulnerable
bullseye (security)
vulnerable
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Common Weakness Enumeration
References
https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
http://www.openwall.com/lists/oss-security/2025/03/10/5
https://security.netapp.com/advisory/ntap-20250321-0001/
https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md