9.8

CVSS Score

Basic Information

CVE ID

CVE-2025-24813

GHSA ID

GHSA-83qj-6fr2-vhqg

EPSS Score

CWE

CWE-44

Published

3/10/2025

Updated

3/19/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-24813

CVE-2025-24813:
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default)

support for partial PUT (enabled by default)
a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack

Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2025-24813

GHSA ID

GHSA-83qj-6fr2-vhqg

EPSS Score

CWE

CWE-44

Published

3/10/2025

Updated

3/19/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat-catalina	maven	>= 11.0.0-M1, < 11.0.3	11.0.3
org.apache.tomcat:tomcat-catalina	maven	>= 10.1.0-M1, < 10.1.35	10.1.35
org.apache.tomcat:tomcat-catalina	maven	>= 9.0.0.M1, < 9.0.99	9.0.99
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 11.0.0-M1, < 11.0.3	11.0.3
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 10.1.0-M1, < 10.1.35	10.1.35
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 9.0.0.M1, < 9.0.99	9.0.99

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key functions in DefaultServlet.java: 1) doPut() managed partial uploads but delayed temp file cleanup (via deleteOnExit()), and 2) executePartialPut() used path-based filenames with slash-to-dot conversion. Together, these allowed path traversal via 'internal dot' equivalence and file retention long enough for attackers to exploit session persistence or deserialization. The patch replaced manual filename construction with secure temp files and immediate deletion, confirming these functions' roles.

Vulnerable functions

org.apache.catalina.servlets.DefaultServlet.doPut

java/org/apache/catalina/servlets/DefaultServlet.java

Handles partial PUT requests with insecure temporary file creation using path-based names (CWE-44). The original implementation converted '/' to '.' in paths, enabling path equivalence attacks. Temporary files were only marked for deletion on JVM exit, leaving a window for exploitation.

org.apache.catalina.servlets.DefaultServlet.executePartialPut

java/org/apache/catalina/servlets/DefaultServlet.java

Created temporary files using user-controlled path data with unsafe name conversion (path.replace('/', '.')). This allowed attackers to write files to unexpected locations via internal dot manipulation, enabling session file corruption or RCE through deserialization (CWE-502).

WAF Protection Rules

WAF Rule

P*t* *quiv*l*n**: '*il*.N*m*' (Int*rn*l *ot) l***in* to R*mot* *o** *x**ution *n*/or In*orm*tion *is*losur* *n*/or m*li*ious *ont*nt ***** to uplo**** *il*s vi* writ* *n**l** ****ult S*rvl*t in *p**** Tom**t. T*is issu* *****ts *p**** Tom**t: *rom *

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions in ****ultS*rvl*t.j*v*: *) *oPut() m*n**** p*rti*l uplo**s *ut **l*y** t*mp *il* *l**nup (vi* **l*t*On*xit()), *n* *) *x**ut*P*rti*lPut() us** p*t*-**s** *il*n*m*s wit* sl*s*-to-*ot *onv*rsion. To**t**r,

9.8

Basic Information

Concerned about an active attack path?

CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-24813:
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

Vulnerability Intelligence
Miggo AI