SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24813

CVE-2025-24813: Apache Tomcat Path Equivalence RCE Vulnerability

CVE-2025-24813 is a path equivalence remote code execution vulnerability in Apache Tomcat that enables attackers to execute code or disclose sensitive information. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-24813 Overview

Path Equivalence: file.Name (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

Critical Impact

This vulnerability allows for remote code execution and information disclosure, affecting multiple versions of Apache Tomcat.

Affected Products

  • Apache Tomcat
  • Debian Debian_Linux
  • NetApp Bootstrap_OS

Discovery Timeline

  • 2025-03-10 - CVE-2025-24813 published to NVD
  • 2025-10-23 - Last updated in NVD database

Technical Details for CVE-2025-24813

Vulnerability Analysis

The vulnerability exists in Apache Tomcat due to improper handling of path equivalence for file uploads when the Default Servlet's write functionality is enabled. Under specific conditions, attackers can exploit this to achieve remote code execution or access sensitive information.

Root Cause

The root cause is improper validation of file paths when file.Name contains an internal dot, coupled with default servlet write permissions.

Attack Vector

The attack vector is network-based, allowing remote attackers to exploit the vulnerability.

python
# Example exploitation code (sanitized)
import requests

url = "http://victim.com/upload"
headers = {'Content-Type': 'application/octet-stream'}
data = b'content to upload'

response = requests.put(url, headers=headers, data=data)
print(response.status_code)

Detection Methods for CVE-2025-24813

Indicators of Compromise

  • Unexpected file modifications
  • Unauthorized access logs
  • Suspicious HTTP PUT requests

Detection Strategies

Leveraging file integrity monitoring tools to detect unauthorized file changes, along with network traffic analysis to identify suspicious requests.

Monitoring Recommendations

Continuous monitoring of system logs and network traffic for anomalies related to file uploads.

How to Mitigate CVE-2025-24813

Immediate Actions Required

  • Disable write permissions for the Default Servlet
  • Restrict public access to sensitive directories
  • Monitor access to Tomcat's file-based sessions

Patch Information

Upgrade to Apache Tomcat versions 11.0.3, 10.1.35, or 9.0.99, which address this vulnerability.

Workarounds

For systems unable to upgrade immediately, ensure the Write mode on the Default Servlet is disabled and limit exposure of sensitive files.

bash
# Configuration example
<Location "/uploads">
    <LimitExcept PUT POST GET>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne