CVE-2025-24813
Path Equivalence vulnerability in tomcat-embed-core (Maven)
What is CVE-2025-24813 About?
This Path Equivalence vulnerability in Apache Tomcat's Default Servlet allows for remote code execution and/or information disclosure. It occurs when specific conditions related to write-enabled settings and partial PUT support are met, enabling attackers to inject malicious content into files or achieve RCE through deserialization. Exploitation is complex, requiring multiple specific server configurations to be enabled.
Affected Software
- org.apache.tomcat:tomcat-catalina
- >9.0.0.M1, <9.0.99
- >8.5.0, <=8.5.100
- >11.0.0-M1, <11.0.3
- >10.1.0-M1, <10.1.35
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.99
- >8.5.0, <=8.5.100
- >11.0.0-M1, <11.0.3
- >10.1.0-M1, <10.1.35
Technical Details
The vulnerability arises from a 'Path Equivalence' issue, specifically using 'file.Name' with an internal dot, which affects Apache Tomcat's Default Servlet. This flaw can lead to Remote Code Execution (RCE) or Information Disclosure under specific configurations. For RCE, it requires the Default Servlet's 'writes' to be enabled (disabled by default), support for partial PUT (enabled by default), and the application to use Tomcat's file-based session persistence with default storage, alongside a deserialization-vulnerable library. If these conditions are met, an attacker can leverage the path equivalence to upload malicious content that gets deserialized. For information disclosure, similar 'writes' and partial PUT conditions are needed, plus a target URL for security-sensitive uploads being a subdirectory of public uploads, and attacker knowledge of sensitive file names. The vulnerability allows an attacker to manipulate file paths to overwrite or inject content into critical files.
What is the Impact of CVE-2025-24813?
Successful exploitation may allow attackers to achieve remote code execution, inject malicious content into uploaded files, or gain unauthorized access to security-sensitive files, leading to severe system compromise or information disclosure.
What is the Exploitability of CVE-2025-24813?
Exploitation of this vulnerability is complex due to multiple prerequisites and specific configuration requirements. The 'writes enabled for the default servlet' must be active (which is disabled by default in Tomcat), and 'support for partial PUT' must also be enabled (which is default). For remote code execution, the application must furthermore use Tomcat's file-based session persistence with its default storage location, and include a library vulnerable to deserialization attacks. For information disclosure, a specific directory structure involving public and security-sensitive upload URLs is required, along with attacker knowledge of sensitive filenames. Authentication requirements depend on whether access to the vulnerable endpoints is restricted. This is a remote exploitation scenario. The need for multiple specific and often non-default configurations significantly constrains exploitability but indicates a high impact if all conditions are met.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| absholi7ly | Link | his repository contains an automated Proof of Concept (PoC) script for exploiting **CVE-2025-24813**, a Remote Code Execution (RCE) vulnerability in Apache Tomcat. The vulnerability allows an... |
| iSee857 | Link | Apache Tomcat 远程代码执行漏洞批量检测脚本(CVE-2025-24813) |
| drcrypterdotru | Link | Apache (CVE-2025-24813) GOExploiter Checker & Exploiter very Fast |
What are the Available Fixes for CVE-2025-24813?
About the Fix from Resolved Security
The patch changes how temporary files are created and handled when processing HTTP PUT requests with ranges, switching from predictable filenames based on the request path to securely generated random filenames using File.createTempFile. This mitigates CVE-2025-24813, which is a vulnerability where attackers could potentially exploit predictable temp file names to overwrite arbitrary files or trigger race conditions, leading to information disclosure or elevation of privilege. Proper deletion of temp files after use is also ensured, reducing the risk of leftover sensitive data.
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.99 → Upgrade to 9.0.99
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.35 → Upgrade to 10.1.35
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.3 → Upgrade to 11.0.3
- org.apache.tomcat:tomcat-catalina
- >9.0.0.M1, <9.0.99 → Upgrade to 9.0.99
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.35 → Upgrade to 10.1.35
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.3 → Upgrade to 11.0.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat
- https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability
- https://nvd.nist.gov/vuln/detail/CVE-2025-24813
- https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
- https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
- https://osv.dev/vulnerability/GHSA-83qj-6fr2-vhqg
- https://security.netapp.com/advisory/ntap-20250321-0001
- https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability
- https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
- https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
What are Similar Vulnerabilities to CVE-2025-24813?
Similar Vulnerabilities: CVE-2020-1938 , CVE-2018-11776 , CVE-2017-12617 , CVE-2019-0232 , CVE-2023-45648
