logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-24813 org.apache.tomcat:tomcat-catalina

Package

Manager: maven
Name: org.apache.tomcat:tomcat-catalina
Vulnerable Version: >=11.0.0-m1 <11.0.3 || >=10.1.0-m1 <10.1.35 || >=9.0.0.m1 <9.0.99 || >=8.5.0 <=8.5.100

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.94157 pctl0.99908

Details

Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Metadata

Created: 2025-03-10T18:31:56Z
Modified: 2025-08-08T18:49:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json
CWE IDs: ["CWE-44", "CWE-502"]
Alternative ID: GHSA-83qj-6fr2-vhqg
Finding: F100
Auto approve: 1