A critical vulnerability was discovered in Apache Tomcat, allowing for remote code execution, information disclosure, and malicious content injection via the write-enabled Default Servlet. This issue has been assigned the identifier CVE-2025-24813 and affects Apache Tomcat versions 11..-M1 through 11..2, 10.1.-M1 through 10.1.34, and 9...M1 through 9..98.
Original References
- CVE Details
- Apache Tomcat 11..3, 10.1.35, and 9..98 Downloads
Support for partial PUT (enabled by default)
3. A target URL for security-sensitive uploads that is a sub-directory of a target URL for public uploads
Code Snippet Example
To enable writes and partial PUT support in a servlet, the following configuration is added to web.xml:
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>partialPut</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
Mitigation
Users are strongly advised to upgrade their Apache Tomcat installations to version 11..3, 10.1.35, or 9..98, as these versions contain the fix for the vulnerability. Furthermore, users should ensure that writes and partial PUT support are disabled for the default servlet, and review their application's file upload structure to avoid target URL overlaps between public and security-sensitive uploads.
Conclusion
The CVE-2025-24813 vulnerability poses a significant risk to Apache Tomcat users, as it allows for remote code execution, information disclosure, and malicious content injection in affected instances. By upgrading to fixed versions (11..3, 10.1.35, or 9..98) and following the recommended security practices, users can protect themselves from potential exploitation by malicious attackers.
Timeline
Published on: 03/10/2025 17:15:35 UTC
Last modified on: 03/12/2025 19:15:38 UTC