Apache Tomcat up to 9.0.98/10.1.34/11.0.2 Partial PUT path equivalence
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.6 | $0-$5k | 0.70 |
Summary
A vulnerability labeled as problematic has been found in Apache Tomcat up to 9.0.98/10.1.34/11.0.2. This affects an unknown part of the component Partial PUT Handler. Executing a manipulation can lead to path equivalence. This vulnerability is tracked as CVE-2025-24813. The attack can be launched remotely. Moreover, an exploit is present. The affected component should be upgraded.
Details
A vulnerability has been found in Apache Tomcat up to 9.0.98/10.1.34/11.0.2 and classified as problematic. This vulnerability affects an unknown part of the component Partial PUT Handler. The manipulation with an unknown input leads to a path equivalence vulnerability. The CWE definition for the vulnerability is CWE-44. The product accepts path input in the form of internal dot ('file.ordir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.
The weakness was disclosed by Sw0rd1ight. The advisory is shared for download at lists.apache.org. This vulnerability was named CVE-2025-24813 since 01/24/2025. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details are unknown but a public exploit is available. The MITRE ATT&CK project declares the attack technique as T1006.
It is possible to download the exploit at exploit-db.com. It is declared as attacked. The vulnerability scanner Nessus provides a plugin with the ID 232530 (Apache Tomcat 11.0.0.M1 < 11.0.3), which helps to determine the existence of the flaw in a target environment. This issue was added on 04/01/2025 to the CISA Known Exploited Vulnerabilities Catalog with a due date of 04/22/2025:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.Upgrading to version 9.0.99, 10.1.35 or 11.0.3 eliminates this vulnerability.
The vulnerability is also documented in the databases at Exploit-DB (52134) and Tenable (232530). Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
- 9.0.0
- 9.0.1
- 9.0.2
- 9.0.3
- 9.0.4
- 9.0.5
- 9.0.6
- 9.0.7
- 9.0.8
- 9.0.9
- 9.0.10
- 9.0.11
- 9.0.12
- 9.0.13
- 9.0.14
- 9.0.15
- 9.0.16
- 9.0.17
- 9.0.18
- 9.0.19
- 9.0.20
- 9.0.21
- 9.0.22
- 9.0.23
- 9.0.24
- 9.0.25
- 9.0.26
- 9.0.27
- 9.0.28
- 9.0.29
- 9.0.30
- 9.0.31
- 9.0.32
- 9.0.33
- 9.0.34
- 9.0.35
- 9.0.36
- 9.0.37
- 9.0.38
- 9.0.39
- 9.0.40
- 9.0.41
- 9.0.42
- 9.0.43
- 9.0.44
- 9.0.45
- 9.0.46
- 9.0.47
- 9.0.48
- 9.0.49
- 9.0.50
- 9.0.51
- 9.0.52
- 9.0.53
- 9.0.54
- 9.0.55
- 9.0.56
- 9.0.57
- 9.0.58
- 9.0.59
- 9.0.60
- 9.0.61
- 9.0.62
- 9.0.63
- 9.0.64
- 9.0.65
- 9.0.66
- 9.0.67
- 9.0.68
- 9.0.69
- 9.0.70
- 9.0.71
- 9.0.72
- 9.0.73
- 9.0.74
- 9.0.75
- 9.0.76
- 9.0.77
- 9.0.78
- 9.0.79
- 9.0.80
- 9.0.81
- 9.0.82
- 9.0.83
- 9.0.84
- 9.0.85
- 9.0.86
- 9.0.87
- 9.0.88
- 9.0.89
- 9.0.90
- 9.0.91
- 9.0.92
- 9.0.93
- 9.0.94
- 9.0.95
- 9.0.96
- 9.0.97
- 9.0.98
- 10.1.0
- 10.1.1
- 10.1.2
- 10.1.3
- 10.1.4
- 10.1.5
- 10.1.6
- 10.1.7
- 10.1.8
- 10.1.9
- 10.1.10
- 10.1.11
- 10.1.12
- 10.1.13
- 10.1.14
- 10.1.15
- 10.1.16
- 10.1.17
- 10.1.18
- 10.1.19
- 10.1.20
- 10.1.21
- 10.1.22
- 10.1.23
- 10.1.24
- 10.1.25
- 10.1.26
- 10.1.27
- 10.1.28
- 10.1.29
- 10.1.30
- 10.1.31
- 10.1.32
- 10.1.33
- 10.1.34
- 11.0.0
- 11.0.1
- 11.0.2
License
Website
- Vendor: https://www.apache.org/
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.7VulDB Meta Temp Score: 7.6
VulDB Base Score: 5.6
VulDB Temp Score: 5.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Path equivalenceCWE: CWE-44 / CWE-41
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Attacked
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
KEV Added: 🔍
KEV Due: 🔍
KEV Remediation: 🔍
KEV Ransomware: 🔍
KEV Notice: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 232530
Nessus Name: Apache Tomcat 11.0.0.M1 < 11.0.3
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Tomcat 9.0.99/10.1.35/11.0.3
Timeline
01/24/2025 🔍03/10/2025 🔍
03/10/2025 🔍
05/01/2025 🔍
Sources
Vendor: apache.orgAdvisory: lists.apache.org
Researcher: Sw0rd1ight
Status: Confirmed
CVE: CVE-2025-24813 (🔍)
GCVE (CVE): GCVE-0-2025-24813
GCVE (VulDB): GCVE-100-299092
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 03/10/2025 18:35Updated: 05/01/2025 21:30
Changes: 03/10/2025 18:35 (56), 03/11/2025 09:37 (2), 03/13/2025 07:39 (1), 03/19/2025 06:03 (11), 04/02/2025 00:33 (13), 04/08/2025 14:58 (3), 05/01/2025 21:30 (1)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.