CVE-2025-24813
April 3, 2025, 8:59 p.m.
9.8
Critical
Description
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Apache |
|
|
| Debian |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-44
Path Equivalence: 'file.name' (Internal Dot)
The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
CWE-502
Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | apache | tomcat | / | / | / | / | / | / | / | / |
| a | apache | tomcat | / | / | / | / | / | / | / | / |
| a | apache | tomcat | / | / | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone1 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone10 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone11 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone12 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone13 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone14 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone15 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone16 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone17 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone18 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone19 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone2 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone20 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone21 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone22 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone23 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone24 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone25 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone26 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone27 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone3 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone4 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone5 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone6 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone7 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone8 | / | / | / | / | / | / |
| a | apache | tomcat | 9.0.0 | milestone9 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone1 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone10 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone11 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone12 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone13 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone14 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone15 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone16 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone17 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone18 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone19 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone2 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone20 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone3 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone4 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone5 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone6 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone7 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone8 | / | / | / | / | / | / |
| a | apache | tomcat | 10.1.0 | milestone9 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone1 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone10 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone11 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone12 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone13 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone14 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone15 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone16 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone17 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone18 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone19 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone2 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone20 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone21 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone22 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone23 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone24 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone25 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone3 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone4 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone5 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone6 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone7 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone8 | / | / | / | / | / | / |
| a | apache | tomcat | 11.0.0 | milestone9 | / | / | / | / | / | / |
| o | debian | debian_linux | 11.0 | / | / | / | / | / | / | / |
References
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- Scope: UNCHANGED
- Confidentiality Impact: HIGH
- Integrity Impact: HIGH
- Availability Impact: HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
Published: March 10, 2025, 5:15 p.m.
Last Modified: April 3, 2025, 8:59 p.m.
Last Modified: April 3, 2025, 8:59 p.m.
Status : Analyzed
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
security@apache.org
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.