CVE-2025-24813

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq	Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/03/10/5	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20250321-0001/
https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md	Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:11.0.0:milestone21::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone22::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone23::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone24::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone25::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::

History

21 Mar 2025, 18:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20250321-0001/ -

19 Mar 2025, 21:15

Type	Values Removed	Values Added
References		() https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce - () https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce -

18 Mar 2025, 17:19

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:tomcat:9.0.0:milestone17:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone7:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone16:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone21:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone14:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone15:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone19:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone3:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone15:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone5:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone23:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone6:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone20:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone16:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone9:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone10:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone23:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone2:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone14:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone12:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone11:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone1:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone19:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone6:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone17:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone21:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone16:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone19:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone2:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone5:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone17:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone24:::::: cpe:2.3:a:apache:tomcat:::::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone7:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone11:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone3:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone11:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone20:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone9:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone13:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone1:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone13:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone8:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone4:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone25:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone22:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone3:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone25:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone12:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone18:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone22:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone18:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone12:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone4:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone15:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone7:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone26:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone5:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone27:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone10:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone8:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone4:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone2:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone6:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone20:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone18:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone14:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone8:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone24:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone1:::::: cpe:2.3:a:apache:tomcat:11.0.0:milestone10:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone9:::::: cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
CWE		CWE-706
References	~~() https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq -~~	() https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq - Vendor Advisory
References	~~() http://www.openwall.com/lists/oss-security/2025/03/10/5 -~~	() http://www.openwall.com/lists/oss-security/2025/03/10/5 - Mailing List, Third Party Advisory
References	~~() https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md -~~	() https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md - Exploit
First Time		Apache Apache tomcat

18 Mar 2025, 16:15

Type	Values Removed	Values Added
Summary	(en) Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.	(en) Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

18 Mar 2025, 14:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

17 Mar 2025, 16:15

Type	Values Removed	Values Added
CWE	~~CWE-444~~
CVSS	v2 : ~~unknown~~ v3 : ~~5.5~~	v2 : unknown v3 : unknown
References		() https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md -

12 Mar 2025, 19:15

Type	Values Removed	Values Added
Summary		(es) Equivalencia de ruta: 'file.Name' (punto interno) que conduce a la ejecución remota de código y/o divulgación de información y/o contenido malicioso agregado a los archivos cargados a través del servlet predeterminado habilitado para escritura en Apache Tomcat. Este problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.2, desde 10.1.0-M1 hasta 10.1.34, desde 9.0.0.M1 hasta 9.0.98. Si todo lo siguiente fuera cierto, un usuario malintencionado podría ver archivos sensibles de seguridad y/o inyectar contenido en esos archivos: - escrituras habilitadas para el servlet predeterminado (deshabilitado por defecto) - soporte para PUT parcial (habilitado por defecto) - una URL de destino para cargas sensibles de seguridad que era un subdirectorio de una URL de destino para cargas públicas - conocimiento del atacante de los nombres de los archivos sensibles de seguridad que se estaban cargando - los archivos sensibles de seguridad también se estaban cargando a través de PUT parcial Si todo lo siguiente fuera cierto, un usuario malintencionado podría realizar una ejecución remota de código: - escrituras habilitadas para el servlet predeterminado (deshabilitado por defecto) - soporte para PUT parcial (habilitado por defecto) - la aplicación estaba usando la persistencia de sesión basada en archivos de Tomcat con la ubicación de almacenamiento predeterminada - la aplicación incluía una biblioteca que se puede aprovechar en un ataque de deserialización Se recomienda a los usuarios actualizar a la versión 11.0.3, 10.1.35 o 9.0.98, que corrige el problema.
CWE		CWE-444
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5

10 Mar 2025, 19:15

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2025/03/10/5 -

10 Mar 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-10 17:15

Updated : 2025-04-02 01:00

NVD link : CVE-2025-24813

Mitre link : CVE-2025-24813

CVE.ORG link : CVE-2025-24813

JSON object : View

Products Affected

apache

tomcat

CWE

CWE-44

Path Equivalence: 'file.name' (Internal Dot)

CWE-502

Deserialization of Untrusted Data

CWE-706

Use of Incorrectly-Resolved Name or Reference

9.8 /10