CVE-2025-24813 | Tomcat | RCE
CVE-2025-24813 Summary#
| Field | Details |
|---|---|
| CVE ID | CVE-2025-24813 |
| Vulnerability Type | Path Equivalence Handling & Partial PUT Abuse |
| Description | CVE-2025-24813 is a vulnerability in Apache Tomcat that allows attackers to abuse partial PUT requests and internal dot path parsing to upload malicious files. If conditions are met, this can lead to remote code execution via deserialization of session files. |
| Affected Versions | - Tomcat 11.0.0-M1 ~ 11.0.2 - Tomcat 10.1.0-M1 ~ 10.1.34 - Tomcat 9.0.0.M1 ~ 9.0.98 |
| Attack Vector | - Default servlet with write enabled (readonly=false) - Partial PUT support enabled (default) - File-based session persistence - Application includes deserialization gadgets |
| Exploitation Techniques | - Dot-suffix evasion - Path traversal - Partial PUT for malicious upload - Deserialization attacks via manipulated JSESSIONID |
| Proof of Concept (PoC) | 1. Upload malicious serialized Java object using PUT to a writable directory. 2. Trigger deserialization by sending a GET request with crafted JSESSIONID. 3. Tomcat executes payload, leading to RCE. 4. Post-exploitation may include persistence, privilege escalation, file modification, or data theft. |
| Impact | - Remote code execution - Full system compromise - Unauthorized file access - Integrity violations through file tampering |
| Detection Methods | - Analyze logs for suspicious PUT requests and dot-internal filenames - Monitor changes to session and JSP files - Audit servlet configurations for writable settings |
| Mitigation Steps | - Upgrade to Tomcat 9.0.99, 10.1.35, or 11.0.3 - Disable partial PUT if unused - Set readonly=true on the default servlet- Switch to non-file-based session persistence - Restrict upload paths and validate file content - Monitor logs for JSESSIONID anomalies |
| Workarounds | - Restrict write access to servlet - Monitor upload activity - Apply network restrictions around Tomcat |
| References | - NVD - CVE-2025-24813 - Apache Tomcat Security Advisory - [Akamai Blog] - [Recorded Future Analysis] - PoC Writeup |