CVE-2025-24813

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.98 Apache Tomcat versions 10.1.0-M1 through 10.1.34 Apache Tomcat versions 11.0.0-M1 through 11.0.2

Description The issue affects Apache Tomcat due to a path equivalence vulnerability, allowing remote code execution and/or information disclosure and/or malicious content added to uploaded files via the write-enabled default servlet. A malicious user can view security-sensitive files and/or inject content into those files if certain conditions are met, including writes enabled for the default servlet, support for partial PUT, and specific knowledge of security-sensitive file names. Additionally, remote code execution is possible under specific conditions, including the use of Tomcat's file-based session persistence and the presence of a library that can be leveraged in a deserialization attack. It is estimated that over 10.7 million services are potentially affected.

Recommendations To resolve the issue, upgrade to version 11.0.3, 10.1.35, or 9.0.98, which fixes the issue. As a temporary workaround, consider disabling the write-enabled default servlet until a patch is available. Restrict access to security-sensitive files and directories to minimize the risk of exploitation. Avoid using partial PUT requests until the issue is resolved.