A serious vulnerability, CVE-2025-24813, has been discovered in Apache Tomcat, potentially allowing attackers to execute remote code, disclose sensitive information, or corrupt data. The Apache Software Foundation has issued an urgent security advisory, urging users of affected versions to update immediately.
Apache Tomcat, a widely used open-source web server and servlet container, is vulnerable to this flaw due to a weakness in its handling of partial PUT requests. According to the advisory, the original implementation of partial PUT “used a temporary file based on the user provided file name and path with the path separator replaced by ‘.’”. This seemingly minor detail opens a significant security hole under specific conditions.
The advisory outlines two primary exploitation scenarios:
- Information Disclosure and Corruption:
- If writes are enabled for the default servlet (disabled by default), partial PUT support is active (enabled by default), a target URL for sensitive uploads is a subdirectory of a public upload URL, and an attacker knows the sensitive file names being uploaded via partial PUT, they can “view security sensitive files and/or inject content into those files.”
- Remote Code Execution (RCE):
- If writes are enabled for the default servlet, partial PUT is active, the application uses Tomcat’s file-based session persistence with the default storage, and the application includes a library vulnerable to deserialization attacks, “a malicious user was able to perform remote code execution.”
These scenarios highlight the severity of the vulnerability, as it can lead to both unauthorized access to sensitive data and complete compromise of the server.
The CVE-2025-24813 vulnerability affects the following Apache Tomcat versions:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0.M1 to 9.0.98
The Apache Software Foundation strongly recommends that users of these versions apply one of the following mitigations:
- Upgrade to Apache Tomcat 11.0.3 or later.
- Upgrade to Apache Tomcat 10.1.35 or later.
- Upgrade to Apache Tomcat 9.0.99 or later.
The potential for both data breaches and remote code execution makes this vulnerability a significant threat. The fact that the partial PUT feature is enabled by default in affected versions further amplifies the risk. Many production servers could be vulnerable if they are not patched quickly.
Administrators of servers running affected Apache Tomcat versions must take immediate action to mitigate this vulnerability. Upgrading to the patched versions is the most effective way to protect against potential attacks.
