CVE-2025-24813

CVE Details

Release Date:	2025-03-10
Impact:	Moderate	What is this?

Description

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

See more information about CVE-2025-24813 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	8.6
Vector String:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Version:	3.1
Attack Vector:	Network
Attack Complexity:	Low
Privileges Required:	None
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	High
Integrity Impact:	Low
Availability Impact:	Low

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (tomcat)	ELSA-2025-3683	2025-04-08
Oracle Linux version 9 (tomcat)	ELSA-2025-3645	2025-04-07