A critical security vulnerability in Apache Tomcat (CVE-2025-24813) has exposed servers to remote code execution (RCE), information disclosure, and data corruption risks.
The flaw, rooted in improper handling of partial HTTP PUT requests, affects Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98.
The Apache Software Foundation has issued patches (Tomcat 11.0.3, 10.1.35, and 9.0.98) and urged immediate upgrades to mitigate exploitation risks.
.png
)
Apache Tomcat Vulnerability
The vulnerability stems from Tomcat’s implementation of partial PUT requests, which allow clients to upload files in segments.
The original code (patched in commit 0a668e0c) generated temporary filenames by replacing path separators (e.g., /) with internal dots (.), creating path equivalence vulnerabilities. Attackers could exploit this to:
- Bypass Security Controls: By crafting filenames like ../../sensitive/file.jsp, malicious actors could write files outside intended directories.
- Inject Malicious Content: Overwrite configuration files or JSPs, enabling RCE if the server processes these files.
- Expose Sensitive Data: Access restricted files via path traversal if the default servlet’s write permissions are enabled (disabled by default)
For RCE, attackers require:
- Write-enabled default servlet (non-default configuration)
- Partial PUT support (enabled by default)
- File-based session persistence (default storage location)
- A deserialization-vulnerable library in the application stack
The flaw’s severity lies in its potential for privilege escalation and lateral movement. For instance:
Data Corruption: Attackers could tamper with session files (SESSIONS.ser) stored in $CATALINA_BASE/work, altering user sessions.
RCE via JSP Uploads: Uploading a malicious JSP to the web root (e.g., webapps/ROOT) allows execution of arbitrary code.
Information Leakage: Partial PUT requests could reveal directory structures or configuration files like server.xml.
Notably, this vulnerability compounds prior issues like CVE-2024-56337 (incomplete mitigation for CVE-2024-50379), highlighting systemic risks in Tomcat’s file-handling logic.
Mitigations
Administrators must:
- Deploy Tomcat 11.0.3, 10.1.35, or 9.0.98 to apply the fix.
- If upgrading isn’t feasible, set allowPartialPut=”false” in the DefaultServlet configuration.
- Ensure the default servlet’s readonly parameter remains true (default) to block unauthorized writes.
- Remove or update libraries susceptible to deserialization attacks (e.g., outdated XStream or JDK serialization modules).
For Java environments, additional measures include:
- Java 17: Set -Dsun.io.useCanonCaches=false to prevent case-insensitive filesystem conflicts.
- Java 21+: No further action required, as the problematic cache system was removed
Security researchers emphasize the urgency of patching.
Mark Thomas of the Apache Tomcat Security Team noted, “This vulnerability underscores the risks of combining write-enabled servlets with case-insensitive filesystems.”
With exploits likely to emerge soon, delaying patches risks catastrophic breaches. As Apache’s advisory warns, “The partial PUT feature’s default-enabled status amplifies exposure.”
Organizations must prioritize upgrades, audit configurations, and adopt defense-in-depth strategies to safeguard Java web ecosystems.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
