{"id":"CVE-2025-24813","details":"Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions \nmay also be affected.\n\n\nIf all of the following were true, a malicious user was able to view       security sensitive files and/or inject content into those files:\n- writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads\n- attacker knowledge of the names of security sensitive files being uploaded\n- the security sensitive files also being uploaded via partial PUT\n\nIf all of the following were true, a malicious user was able to       perform remote code execution:\n- writes enabled for the default servlet (disabled by default)\n- support for partial PUT (enabled by default)\n- application was using Tomcat's file based session persistence with the default storage location\n- application included a library that may be leveraged in a deserialization attack\n\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.","aliases":["BIT-tomcat-2025-24813","GHSA-83qj-6fr2-vhqg"],"modified":"2026-04-16T00:00:15.937078250Z","published":"2025-03-10T17:15:35.067Z","related":["ALSA-2025:3645","ALSA-2025:3683","ALSA-2025:7494","ALSA-2025:7497","CGA-xvpq-3fmc-q2jr","SUSE-SU-2025:0954-1","SUSE-SU-2025:1024-1","SUSE-SU-2025:1126-1","SUSE-SU-2026:1058-1","openSUSE-SU-2025:14896-1","openSUSE-SU-2025:14897-1"],"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813"},{"type":"ADVISORY","url":"https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/03/10/5"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250321-0001/"},{"type":"ADVISORY","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813"},{"type":"REPORT","url":"https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce"},{"type":"REPORT","url":"https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce"},{"type":"REPORT","url":"https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability"},{"type":"REPORT","url":"https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2025/03/10/5"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html"},{"type":"EVIDENCE","url":"https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"0"},{"fixed":"7145107845fe82dafee783bb0bfd6bea028e173b"},{"introduced":"6c56147c3966fde5ae34aab2b253593e8700a28c"},{"fixed":"6e6ddf18b5dd4baadd4470f2f48a71b9c4185122"},{"introduced":"934df02dc68e72b95a38f372017f1b89b0d13a76"},{"fixed":"9636e5188311f30c1e46c94191d2145998778bf4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24813.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}