NVD - CVE-2025-24813 (original) (raw)

CVE-2025-24813 Detail

Description

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST CVSS score

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST CVSS score

NIST: NVD

Base Score: 9.8 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

ADP: CISA-ADP

Base Score: 10.0 CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
http://www.openwall.com/lists/oss-security/2025/03/10/5 CVE Mailing List Third Party Advisory
https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md CISA-ADP Exploit
https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq Apache Software Foundation Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html CVE Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20250321-0001/ CVE Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813 CISA-ADP Third Party Advisory US Government Resource
https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce CVE Issue Tracking
https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce CVE Issue Tracking
https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability CVE Issue Tracking
https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability CVE Issue Tracking

This CVE is in CISA's Known Exploited Vulnerabilities Catalog

Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.

Vulnerability Name Date Added Due Date Required Action
Apache Tomcat Path Equivalence Vulnerability 04/01/2025 04/22/2025 Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weakness Enumeration

CWE-ID CWE Name Source
CWE-502 Deserialization of Untrusted Data cwe source acceptance level NIST Apache Software Foundation
CWE-706 Use of Incorrectly-Resolved Name or Reference cwe source acceptance level NIST
CWE-44 Path Equivalence: 'file.name' (Internal Dot) Apache Software Foundation

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

24 change records found show changes

CVE Modified by CISA-ADP 6/17/2026 4:59:39 AM

Action Type Old Value New Value
Added SSVC {"timestamp":"2025-04-01T19:37:06.207441Z","id":"CVE-2025-24813","options":[{"exploitation":"active"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

CVE Modified by Apache Software Foundation 6/17/2026 4:59:39 AM

Action Type Old Value New Value
Added Affected [{"vendor":"Apache Software Foundation","product":"Apache Tomcat","defaultStatus":"unaffected","versions":[{"version":"11.0.0-M1","lessThanOrEqual":"11.0.2","versionType":"semver","status":"affected"},{"version":"10.1.0-M1","lessThanOrEqual":"10.1.34","versionType":"semver","status":"affected"},{"version":"9.0.0.M1","lessThanOrEqual":"9.0.98","versionType":"semver","status":"affected"},{"version":"8.5.0","lessThanOrEqual":"8.5.100","versionType":"semver","status":"affected"},{"version":"3","lessThan":"8.5.0","versionType":"semver","status":"unknown"},{"version":"10.0.0-M1","lessThanOrEqual":"10.0.27","versionType":"semver","status":"unknown"}]}]

Modified Analysis by NIST 10/23/2025 10:49:29 AM

Action Type Old Value New Value
Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-24813 Types: Third Party Advisory, US Government Resource

CVE Modified by CISA-ADP 10/21/2025 7:16:52 PM

Action Type Old Value New Value
Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-24813

CVE Modified by CISA-ADP 10/21/2025 4:20:30 PM

Action Type Old Value New Value
Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Removed CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Removed Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-24813

CVE Modified by CISA-ADP 10/21/2025 3:21:10 PM

Action Type Old Value New Value
Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field\_cve=CVE-2025-24813

Modified Analysis by NIST 8/08/2025 1:56:59 PM

Action Type Old Value New Value

CVE Modified by Apache Software Foundation 8/08/2025 8:15:27 AM

Action Type Old Value New Value
Changed Description Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. Older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue. Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Modified Analysis by NIST 8/07/2025 1:21:01 PM

Action Type Old Value New Value
Changed CPE Configuration Record truncated, showing 2048 of 5027 characters. View Entire Change Record OR *cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1 Record truncated, showing 2048 of 3258 characters. View Entire Change Record OR *cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:* *cpe:2.
Added CPE Configuration AND OR *cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:* OR cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

CVE Modified by Apache Software Foundation 8/07/2025 8:15:29 AM

Action Type Old Value New Value
Changed Description Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue. Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. Older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Modified Analysis by NIST 7/23/2025 2:10:23 PM

Action Type Old Value New Value
Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability Types: Issue Tracking
Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability Types: Issue Tracking

CVE Modified by CVE 7/21/2025 2:15:26 PM

Action Type Old Value New Value
Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability
Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability

Modified Analysis by NIST 4/03/2025 4:59:51 PM

Action Type Old Value New Value
Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html Types: Mailing List, Third Party Advisory
Added Reference Type CVE: https://security.netapp.com/advisory/ntap-20250321-0001/ Types: Third Party Advisory
Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce Types: Issue Tracking
Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce Types: Issue Tracking

CVE Modified by CVE 4/02/2025 6:15:18 PM

Action Type Old Value New Value
Added Reference https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html

CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government 4/01/2025 9:00:02 PM

Action Type Old Value New Value
Added Date Added 2025-04-01
Added Due Date 2025-04-22
Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Added Vulnerability Name Apache Tomcat Path Equivalence Vulnerability

CVE Modified by CVE 3/21/2025 2:15:34 PM

Action Type Old Value New Value
Added Reference https://security.netapp.com/advisory/ntap-20250321-0001/

CVE Modified by CVE 3/19/2025 5:15:38 PM

Action Type Old Value New Value
Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce

Initial Analysis by NIST 3/18/2025 1:19:03 PM

Action Type Old Value New Value
Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CWE CWE-502
Added CWE CWE-706
Added CPE Configuration Record truncated, showing 2048 of 5027 characters. View Entire Change Record OR *cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:* *cpe:2.3:a:apache:tomcat:1
Added Reference Type Apache Software Foundation: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq Types: Vendor Advisory
Added Reference Type CISA-ADP: https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md Types: Exploit
Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2025/03/10/5 Types: Mailing List, Third Party Advisory

CVE Modified by Apache Software Foundation 3/18/2025 12:15:26 PM

Action Type Old Value New Value
Changed Description Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue. Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

CVE Modified by CISA-ADP 3/18/2025 10:15:43 AM

Action Type Old Value New Value
Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE Modified by CISA-ADP 3/17/2025 12:15:25 PM

Action Type Old Value New Value
Removed CVSS V3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Removed CWE CWE-444
Removed CWE CWE-502
Added Reference https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md

CVE Modified by CISA-ADP 3/12/2025 3:15:38 PM

Action Type Old Value New Value
Added CVSS V3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Added CWE CWE-444
Added CWE CWE-502

CVE Modified by CVE 3/10/2025 3:15:40 PM

Action Type Old Value New Value
Added Reference http://www.openwall.com/lists/oss-security/2025/03/10/5

New CVE Received from Apache Software Foundation 3/10/2025 1:15:35 PM

Action Type Old Value New Value
Added Description Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.
Added CWE CWE-44
Added CWE CWE-502
Added Reference https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

Quick Info

CVE Dictionary Entry:
CVE-2025-24813
NVD Published Date:
03/10/2025
NVD Last Modified:
06/17/2026
Source:
Apache Software Foundation