Exploited! Apache Tomcat Path Equivalence Vulnerability (CVE-2025-24813)
Apache Tomcat recently disclosed a critical security vulnerability, CVE-2025-24813, affecting several versions of its widely used servlet container. This vulnerability arises from improper handling of path equivalence checks involving filenames with internal dots (file…txt). Exploitation could result in unauthorized information disclosure, file manipulation, and even remote code execution (RCE).
In this article
What is CVE-2025-24813 Apache Tomcat Path Equivalence Vulnerability?
Affected Apache Tomcat versions include:
- 9.0.0.M1 through 9.0.98
- 10.1.0-M1 through 10.1.34
- 11.0.0-M1 through 11.0.2
Due to incorrect normalization of file paths containing internal dots, attackers could exploit this vulnerability to access or modify sensitive files, potentially causing significant damage to web applications and server security.
Exploiting the Vulnerability
1. Information Disclosure and File Manipulation
Certain conditions must be met for successful exploitation:
- Default servlet configured with write permissions (readonly set to false).
- Partial PUT requests enabled (default setting).
Example malicious HTTP request:
PUT /uploads/../sensitive-dir/config...xml HTTP/1.1
Host: vulnerable-server.com
Content-Length: 1024
<malicious payload>Improper path normalization lets attackers overwrite sensitive files located outside designated upload directories.
2. Remote Code Execution (RCE)
Severe consequences arise if:
- The application uses Tomcat’s default file-based session persistence.
- The application includes libraries vulnerable to deserialization attacks.
Example attack scenario:
PUT /uploads/../sessions/SESSION123...session HTTP/1.1
Host: vulnerable-server.com
Content-Length: 2048
<serialized malicious payload>This manipulation allows attackers to execute arbitrary code upon deserialization of session data.
Potential Risks
Risks associated with CVE-2025-24813 are substantial:
- Confidentiality: Exposure or leakage of sensitive information.
- Integrity: Unauthorized modification of critical files.
- System compromise: Complete server control through remote code execution, enabling attackers to install malware or conduct lateral network movement.
Immediate remediation is essential due to the widespread use of Tomcat in enterprise environments.
Mitigation Steps
Mitigate risks effectively through:
1. Patch and Upgrade Apache Tomcat
Apply official patches immediately:
- Version 9.0.x: Upgrade to 9.0.99 or later.
- Version 10.1.x: upgrade to 10.1.35 or later.
- Version 11.0.x: upgrade to 11.0.3 or later.
Upgrade example using Ubuntu/Debian:
sudo apt update
sudo apt install –only-upgrade tomcat9
Check updated version:
tomcat9 version
2. Immediate Configuration Adjustments
If immediate upgrade isn’t feasible:
Set default servlet to read-only in web.xml:
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
Disable partial PUT requests:
<init-param>
<param-name>allowPartialPut</param-name>
<param-value>false</param-value>
</init-param>3. Secure File Upload Directories
Regularly audit permissions and avoid placing sensitive directories within publicly writable locations.
Am I Impacted by CVE-2025-24813?
IONIX is actively tracking CVE-2025-24813. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the threat center of the IONIX portal.
IONIX customers will see updated information on their specific assets in the threat center of the IONIX portal.
References
