A critical security flaw identified as CVE-2025-24813 has been discovered in Apache Tomcat, a widely used open-source Java servlet container. This vulnerability allows unauthenticated attackers to execute arbitrary code remotely, posing a significant threat to servers running affected versions of Tomcat.
Vulnerability Overview
CVE-2025-24813 is a path equivalence vulnerability that exploits Apache Tomcat’s handling of partial PUT requests and session file persistence. Specifically, the flaw arises from improper processing of file paths, where slashes are converted to dots in the DefaultServlet’s path mapping logic. This mismanagement enables attackers to bypass security constraints and gain unauthorized access to sensitive files or inject malicious content.
Affected Versions
The vulnerability impacts the following versions of Apache Tomcat:
– 11.0.0-M1 to 11.0.2
– 10.1.0-M1 to 10.1.34
– 9.0.0-M1 to 9.0.98
Additionally, security researchers have identified that versions 8.5.0 to 8.5.98 and 8.5.100 are also vulnerable, though these were not included in Apache’s initial advisory.
Exploitation Details
Exploitation of CVE-2025-24813 involves a two-step process:
1. Uploading a Malicious Serialized Session: The attacker sends a PUT request containing a base64-encoded, serialized Java payload to a writable directory within Tomcat’s session storage. This payload is crafted to trigger remote code execution upon deserialization.
2. Triggering Execution via Session Cookie: The attacker then sends a GET request with a specially crafted `JSESSIONID` cookie that references the malicious session file. This action forces Tomcat to deserialize and execute the payload, granting the attacker complete control over the server.
Prerequisites for Exploitation
Successful exploitation requires specific conditions:
– Writes Enabled for the Default Servlet: The `readonly` attribute of the default servlet must be set to `false`, allowing write access via HTTP PUT requests. By default, this setting is disabled.
– Support for Partial PUT Enabled: Partial PUT functionality must be enabled, which is the default setting in Tomcat.
– File-Based Session Persistence: The application must use Tomcat’s file-based session persistence with the default storage location.
– Presence of a Deserialization-Vulnerable Library: The application must include a library that can be leveraged in a deserialization attack.
– Knowledge of Internal File Naming Conventions: The attacker must know the naming conventions used for session files within the application.
Impact and Observations
The rapid exploitation of this vulnerability is alarming. Proof-of-concept (PoC) exploits were published on GitHub within 30 hours of the vulnerability’s disclosure, leading to active attacks in the wild. Security researchers have observed that traditional security tools often fail to detect these attacks because the PUT requests appear normal, and the malicious content is obfuscated using base64 encoding.
Mitigation Measures
To protect against CVE-2025-24813, administrators should take the following actions:
– Upgrade Apache Tomcat: Update to the latest patched versions:
– 11.0.3 or later
– 10.1.35 or later
– 9.0.99 or later
– Revert Default Servlet Configuration: Ensure that the `readonly` attribute of the default servlet is set to `true` to disable write access.
– Disable Partial PUT Support: Turn off support for partial PUT requests to prevent unauthorized file uploads.
– Avoid Storing Sensitive Files in Public Upload Directories: Ensure that security-sensitive files are not stored in subdirectories of public upload paths.
Conclusion
CVE-2025-24813 represents a significant security risk due to its ease of exploitation and the widespread use of Apache Tomcat in enterprise environments. Organizations must act swiftly to apply patches and implement mitigation strategies to protect their systems from potential attacks.
