csaf_ncscnl - ncsc-2025-0089

NCSC-2025-0089

Vulnerability from csaf_ncscnl - Published: 2025-03-17 18:36 - Updated: 2025-03-17 18:36

Summary

Kwetsbaarheid verholpen in Apache Tomcat

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

Apache heeft een kwetsbaarheid verholpen in Apache Tomcat (Specifiek voor versies 11.0.0-M1 tot 11.0.2, 10.1.0-M1 tot 10.1.34, en 9.0.0.M1 tot 9.0.98).

Interpretaties

De kwetsbaarheid bevindt zich in de manier waarop de server omgaat met HTTP PUT-verzoeken. Door een kwaadaardig PUT-verzoek te sturen, kan een aanvaller willekeurige bestanden uploaden en uiteindelijk remote code execution (RCE) verkrijgen. Dit stelt hen in staat om volledige controle over de server te krijgen Deze kwetsbaarheid wordt momenteel actief misbruikt in aanvallen, wat de urgentie van het aanpakken van dit beveiligingsprobleem in getroffen implementaties onderstreept.

Oplossingen

Apache heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-44

Path Equivalence: 'file.name' (Internal Dot)

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-502

Deserialization of Untrusted Data

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Apache heeft een kwetsbaarheid verholpen in Apache Tomcat (Specifiek voor versies 11.0.0-M1 tot 11.0.2, 10.1.0-M1 tot 10.1.34, en 9.0.0.M1 tot 9.0.98).",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheid bevindt zich in de manier waarop de server omgaat met HTTP PUT-verzoeken. Door een kwaadaardig PUT-verzoek te sturen, kan een aanvaller willekeurige bestanden uploaden en uiteindelijk remote code execution (RCE) verkrijgen. Dit stelt hen in staat om volledige controle over de server te krijgen Deze kwetsbaarheid wordt momenteel actief misbruikt in aanvallen, wat de urgentie van het aanpakken van dit beveiligingsprobleem in getroffen implementaties onderstreept.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Apache heeft updates uitgebracht om de kwetsbaarheid te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Path Equivalence: \u0027file.name\u0027 (Internal Dot)",
        "title": "CWE-44"
      },
      {
        "category": "general",
        "text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
        "title": "CWE-444"
      },
      {
        "category": "general",
        "text": "Deserialization of Untrusted Data",
        "title": "CWE-502"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - redhat",
        "url": "https://www.cve.org/CVERecord?id=CVE-2025-24813"
      }
    ],
    "title": "Kwetsbaarheid verholpen in Apache Tomcat",
    "tracking": {
      "current_release_date": "2025-03-17T18:36:12.978021Z",
      "generator": {
        "date": "2025-02-25T15:15:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.0"
        }
      },
      "id": "NCSC-2025-0089",
      "initial_release_date": "2025-03-17T18:36:12.978021Z",
      "revision_history": [
        {
          "date": "2025-03-17T18:36:12.978021Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:rpm/unknown",
                    "product": {
                      "name": "vers:rpm/unknown",
                      "product_id": "CSAFPID-1459369"
                    }
                  }
                ],
                "category": "product_name",
                "name": "tomcat"
              },
              {
                "category": "product_version_range",
                "name": "vers:rpm/9",
                "product": {
                  "name": "vers:rpm/9",
                  "product_id": "CSAFPID-1439319",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:enterprise_linux:9"
                  }
                }
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:rpm/unknown",
                    "product": {
                      "name": "vers:rpm/unknown",
                      "product_id": "CSAFPID-1459368"
                    }
                  }
                ],
                "category": "product_name",
                "name": "pki-servlet-engine"
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux 9"
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:rpm/unknown",
                    "product": {
                      "name": "vers:rpm/unknown",
                      "product_id": "CSAFPID-1459365"
                    }
                  }
                ],
                "category": "product_name",
                "name": "tomcat"
              },
              {
                "category": "product_version_range",
                "name": "vers:rpm/7",
                "product": {
                  "name": "vers:rpm/7",
                  "product_id": "CSAFPID-1439315",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux 7"
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:rpm/unknown",
                    "product": {
                      "name": "vers:rpm/unknown",
                      "product_id": "CSAFPID-1459364"
                    }
                  }
                ],
                "category": "product_name",
                "name": "tomcat6"
              },
              {
                "category": "product_version_range",
                "name": "vers:rpm/6",
                "product": {
                  "name": "vers:rpm/6",
                  "product_id": "CSAFPID-1439321",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux 6"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:rpm/8",
                "product": {
                  "name": "vers:rpm/8",
                  "product_id": "CSAFPID-1439317",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:enterprise_linux:8"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Red Hat Enterprise Linux 8"
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:rpm/unknown",
                    "product": {
                      "name": "vers:rpm/unknown",
                      "product_id": "CSAFPID-1459366"
                    }
                  }
                ],
                "category": "product_name",
                "name": "pki-servlet-engine"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:rpm/unknown",
                    "product": {
                      "name": "vers:rpm/unknown",
                      "product_id": "CSAFPID-1459367"
                    }
                  }
                ],
                "category": "product_name",
                "name": "tomcat"
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux 8"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/unknown",
                "product": {
                  "name": "vers:unknown/unknown",
                  "product_id": "CSAFPID-1317176",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:opensuse:-"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SUSE openSUSE"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003c10.1.35",
                "product": {
                  "name": "vers:unknown/\u003c10.1.35",
                  "product_id": "CSAFPID-1502177"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003c11.0.3",
                "product": {
                  "name": "vers:unknown/\u003c11.0.3",
                  "product_id": "CSAFPID-1502178"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003c9.0.99",
                "product": {
                  "name": "vers:unknown/\u003c9.0.99",
                  "product_id": "CSAFPID-1502179"
                }
              }
            ],
            "category": "product_name",
            "name": "Tomcat"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:semver/10.1.0-m1|\u003c=10.1.34",
                "product": {
                  "name": "vers:semver/10.1.0-m1|\u003c=10.1.34",
                  "product_id": "CSAFPID-2452845"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:semver/11.0.0-m1|\u003c=11.0.2",
                "product": {
                  "name": "vers:semver/11.0.0-m1|\u003c=11.0.2",
                  "product_id": "CSAFPID-2452844"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:semver/9.0.0.m1|\u003c=9.0.98",
                "product": {
                  "name": "vers:semver/9.0.0.m1|\u003c=9.0.98",
                  "product_id": "CSAFPID-2452846"
                }
              }
            ],
            "category": "product_name",
            "name": "Apache Tomcat"
          }
        ],
        "category": "vendor",
        "name": "Apache Software Foundation"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:deb/unknown",
                    "product": {
                      "name": "vers:deb/unknown",
                      "product_id": "CSAFPID-2454482"
                    }
                  }
                ],
                "category": "product_name",
                "name": "tomcat10"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:deb/9.0.70-2",
                    "product": {
                      "name": "vers:deb/9.0.70-2",
                      "product_id": "CSAFPID-2454484",
                      "product_identification_helper": {
                        "purl": "pkg:deb/debian/tomcat9@9.0.70-2?distro=bookworm"
                      }
                    }
                  }
                ],
                "category": "product_name",
                "name": "tomcat9"
              }
            ],
            "category": "product_family",
            "name": "bookworm"
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:deb/unknown",
                    "product": {
                      "name": "vers:deb/unknown",
                      "product_id": "CSAFPID-2454485"
                    }
                  }
                ],
                "category": "product_name",
                "name": "tomcat9"
              }
            ],
            "category": "product_family",
            "name": "bullseye"
          }
        ],
        "category": "vendor",
        "name": "Debian"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-24813",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "other",
          "text": "Path Equivalence: \u0027file.name\u0027 (Internal Dot)",
          "title": "CWE-44"
        },
        {
          "category": "other",
          "text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
          "title": "CWE-444"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-1459369",
          "CSAFPID-1459365",
          "CSAFPID-1459364",
          "CSAFPID-1317176",
          "CSAFPID-1502177",
          "CSAFPID-1502178",
          "CSAFPID-1502179",
          "CSAFPID-2452845",
          "CSAFPID-2452844",
          "CSAFPID-2452846",
          "CSAFPID-2454482",
          "CSAFPID-2454484",
          "CSAFPID-2454485",
          "CSAFPID-1439321",
          "CSAFPID-1439315",
          "CSAFPID-1439317",
          "CSAFPID-1439319",
          "CSAFPID-1459368",
          "CSAFPID-1459366",
          "CSAFPID-1459367"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-24813",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-24813.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-1459369",
            "CSAFPID-1459365",
            "CSAFPID-1459364",
            "CSAFPID-1317176",
            "CSAFPID-1502177",
            "CSAFPID-1502178",
            "CSAFPID-1502179",
            "CSAFPID-2452845",
            "CSAFPID-2452844",
            "CSAFPID-2452846",
            "CSAFPID-2454482",
            "CSAFPID-2454484",
            "CSAFPID-2454485",
            "CSAFPID-1439321",
            "CSAFPID-1439315",
            "CSAFPID-1439317",
            "CSAFPID-1439319",
            "CSAFPID-1459368",
            "CSAFPID-1459366",
            "CSAFPID-1459367"
          ]
        }
      ],
      "title": "CVE-2025-24813"
    }
  ]
}

CVE-2025-24813 (GCVE-0-2025-24813)

Vulnerability from cvelistv5 – Published: 2025-03-10 16:44 – Updated: 2025-10-29 11:49

Summary

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Severity ?

No CVSS data available.

CWE

CWE-44 - Path Equivalence: 'file.name' (Internal Dot)
CWE-502 - Deserialization of Untrusted Data

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/j5fkjv2k477os90nc…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat	Affected: 11.0.0-M1 , ≤ 11.0.2 (semver) Affected: 10.1.0-M1 , ≤ 10.1.34 (semver) Affected: 9.0.0.M1 , ≤ 9.0.98 (semver) Affected: 8.5.0 , ≤ 8.5.100 (semver) Unknown: 3 , < 8.5.0 (semver) Unknown: 10.0.0-M1 , ≤ 10.0.27 (semver)

Credits

COSCO Shipping Lines DIC sw0rd1ight (https://github.com/sw0rd1ight)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-07-21T17:13:17.168Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/03/10/5"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250321-0001/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability"
          },
          {
            "url": "https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 10,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-24813",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-01T19:37:06.207441Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-04-01",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:25.563Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-04-01T00:00:00+00:00",
            "value": "CVE-2025-24813 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Tomcat",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "11.0.2",
              "status": "affected",
              "version": "11.0.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.1.34",
              "status": "affected",
              "version": "10.1.0-M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "9.0.98",
              "status": "affected",
              "version": "9.0.0.M1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "8.5.100",
              "status": "affected",
              "version": "8.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.5.0",
              "status": "unknown",
              "version": "3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "10.0.27",
              "status": "unknown",
              "version": "10.0.0-M1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "COSCO Shipping Lines DIC"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "sw0rd1ight (https://github.com/sw0rd1ight)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePath Equivalence: \u0027file.Name\u0027 (Internal Dot) leading to\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eRemote Code Execution and/or Information disclosure\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eand/or malicious content added to uploaded files via write enabled\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eDefault Servlet\u003c/span\u003e\u0026nbsp;in Apache Tomcat.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\u003cbr\u003eThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\u003cbr\u003e\u003c/p\u003e\u003cdiv\u003e\u003cp\u003eIf all of the following were true, a malicious user was able to view       security sensitive files and/or inject content into those files:\u003cbr\u003e-\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003ewrites enabled for the default servlet (disabled by default)\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e- support for partial PUT (enabled by default)\u003cbr\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e- a target URL for security sensitive uploads that was a sub-directory of\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ea target URL for public uploads\u003cbr\u003e-\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eattacker knowledge of the names of security sensitive files being\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003euploaded\u003cbr\u003e-\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003ethe security sensitive files also being uploaded via partial PUT\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eIf all of the following were true, a malicious user was able to\u003c/span\u003e       perform remote code execution:\u003cbr\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e- writes enabled for the default servlet (disabled by default)\u003cbr\u003e-\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003esupport for partial PUT (enabled by default)\u003cbr\u003e-\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eapplication was using Tomcat\u0027s file based session persistence with the\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003edefault storage location\u003cbr\u003e-\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eapplication included a library that may be leveraged in a\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003edeserialization attack\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: var(--wht);\"\u003eUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.\u003c/span\u003e\u003c/p\u003e\u003c/div\u003e"
            }
          ],
          "value": "Path Equivalence: \u0027file.Name\u0027 (Internal Dot) leading to\u00a0Remote Code Execution and/or Information disclosure\u00a0and/or malicious content added to uploaded files via write enabled\u00a0Default Servlet\u00a0in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\n\n\nIf all of the following were true, a malicious user was able to view       security sensitive files and/or inject content into those files:\n-\u00a0writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of\u00a0a target URL for public uploads\n-\u00a0attacker knowledge of the names of security sensitive files being\u00a0uploaded\n-\u00a0the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to       perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n-\u00a0support for partial PUT (enabled by default)\n-\u00a0application was using Tomcat\u0027s file based session persistence with the\u00a0default storage location\n-\u00a0application included a library that may be leveraged in a\u00a0deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-44",
              "description": "CWE-44 Path Equivalence: \u0027file.name\u0027 (Internal Dot)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-29T11:49:44.413Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2025-24813",
    "datePublished": "2025-03-10T16:44:03.715Z",
    "dateReserved": "2025-01-24T08:51:50.296Z",
    "dateUpdated": "2025-10-29T11:49:44.413Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

NCSC-2025-0089

CVE-2025-24813 (GCVE-0-2025-24813)

Tags

Sightings

Nomenclature