CVE-2025-24813

CVE-2025-24813 is a path equivalence vulnerability in the Default Servlet of Apache Tomcat, stemming from improper handling of 'file.Name' with internal dots. This flaw enables remote code execution, information disclosure, or injection of malicious content into uploaded files when writes are enabled on the servlet. It affects Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98; end-of-life versions 8.5.0 through 8.5.100 are also vulnerable, as may be older EOL releases.

Unauthenticated remote attackers can exploit this if the default servlet has writes enabled (disabled by default), partial PUT support is enabled (default), and specific application configurations align. For information disclosure or content injection, attackers need a security-sensitive upload URL as a subdirectory of a public upload URL, knowledge of sensitive file names, and those files uploaded via partial PUT, allowing viewing or modification of sensitive files. Remote code execution requires the above plus file-based session persistence at the default location and an application library vulnerable to deserialization attacks. The CVSS v3.1 score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), linked to CWEs-44, -502, and -706.

Apache advisories recommend upgrading to Tomcat 11.0.3, 10.1.35, or 9.0.99, which address the issue. Supporting announcements from OSS-Security, Debian LTS, NetApp, and Vicarius detail detection and patching guidance.