CVE-2025-24813: CWE-44 Path Equivalence: 'file.name' (Internal Dot) in Apache Software Foundation Apache Tomcat
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
AI Analysis
Technical Summary
CVE-2025-24813 is a critical vulnerability affecting multiple recent versions of Apache Tomcat, specifically versions from 9.0.0.M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2. The vulnerability arises from a path equivalence issue related to the handling of internal dots in file names ('file.name'), categorized under CWE-44 (Path Equivalence) and CWE-502 (Deserialization of Untrusted Data). This flaw can lead to remote code execution (RCE), information disclosure, or unauthorized modification of uploaded files when certain conditions are met. The vulnerability exploits the behavior of the default servlet in Apache Tomcat when write permissions are enabled (which is disabled by default) and partial PUT support is active (enabled by default). An attacker can leverage this to access or modify security-sensitive files if these files are uploaded to a subdirectory of a public upload directory and the attacker knows the file names. Specifically, partial PUT requests allow an attacker to upload or modify parts of files, potentially injecting malicious content. Remote code execution is possible if the application uses Tomcat's file-based session persistence with the default storage location and includes a vulnerable library that can be exploited via deserialization attacks. This chain allows an attacker to execute arbitrary code on the server without authentication or user interaction. The vulnerability has a CVSS v3.1 score of 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. The Apache Software Foundation has addressed this issue in versions 11.0.3, 10.1.35, and 9.0.99, and users are strongly advised to upgrade. Impact: For European organizations, this vulnerability poses a significant risk due to the widespread use of Apache Tomcat in enterprise web applications, government portals, and critical infrastructure services. Exploitation could lead to unauthorized data disclosure, including sensitive personal and corporate information protected under GDPR, potentially resulting in regulatory penalties and reputational damage. Remote code execution could allow attackers to take full control of affected servers, leading to data breaches, service disruption, or use of compromised systems as a foothold for further attacks. The requirement for write-enabled default servlets and partial PUT support means that some deployments may be more vulnerable depending on their configuration, but misconfigurations are common in complex environments. Mitigation: Beyond upgrading to the patched versions, organizations should audit their Tomcat configurations to ensure the default servlet's write permissions are disabled unless explicitly required. Disable partial PUT support if not needed, as it increases attack surface. Review and restrict upload directories to prevent security-sensitive files from residing under public upload paths. Implement strict access controls and monitoring on file upload endpoints. For applications using file-based session persistence, consider switching to database or memory-based session storage to reduce risk. Additionally, review third-party libraries for deserialization vulnerabilities and apply patches or mitigations such as input validation and deserialization guards. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with rules targeting suspicious PUT requests and anomalous file modifications. Affected Countries: Countries with high adoption of Apache Tomcat in government, finance, and critical infrastructure sectors are most at risk. This includes Germany, the United Kingdom, France, Italy, Spain, and the Netherlands, where Tomcat is commonly used in enterprise and public sector applications. Historical attack patterns show that attackers often target these countries due to their economic importance and regulatory environments. Geopolitical factors, such as increased cyber espionage and ransomware activity targeting European Union member states, further elevate the risk. Organizations in these countries should prioritize remediation efforts. Confidence: 0.95
Potential Impact
European organizations face severe risks from CVE-2025-24813 due to Apache Tomcat's prevalence in critical web applications and infrastructure. Exploitation can lead to unauthorized disclosure of sensitive data, violating GDPR and other privacy regulations, resulting in legal and financial repercussions. Remote code execution enables attackers to compromise entire systems, potentially disrupting services, stealing intellectual property, or launching further attacks within organizational networks. The vulnerability's exploitation requires no authentication or user interaction, increasing the likelihood of successful attacks, especially in environments with misconfigured default servlets or partial PUT enabled. The impact extends to sectors such as finance, healthcare, government, and manufacturing, where Tomcat-based applications are integral to operations and data handling.
Mitigation Recommendations
1. Upgrade Apache Tomcat to versions 11.0.3, 10.1.35, or 9.0.99 immediately to apply the official patch. 2. Audit and disable write permissions on the default servlet unless explicitly required by the application. 3. Disable partial PUT support if not necessary to reduce attack surface. 4. Segregate upload directories to ensure security-sensitive files are not stored under public upload paths. 5. Transition from file-based session persistence to database or memory-based session storage to mitigate deserialization attack vectors. 6. Conduct thorough reviews of third-party libraries for deserialization vulnerabilities and apply necessary patches or mitigations. 7. Implement strict access controls and monitoring on file upload endpoints to detect and block suspicious activities. 8. Deploy Web Application Firewalls (WAF) or Runtime Application Self-Protection (RASP) solutions configured to detect anomalous PUT requests and file modifications. 9. Educate development and operations teams on secure configuration practices for Tomcat and file upload handling.
Affected Countries
Germany, United Kingdom, France, Italy, Spain, Netherlands
CVE-2025-24813: CWE-44 Path Equivalence: 'file.name' (Internal Dot) in Apache Software Foundation Apache Tomcat
Description
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
AI-Powered Analysis
Technical Analysis
CVE-2025-24813 is a critical vulnerability affecting multiple recent versions of Apache Tomcat, specifically versions from 9.0.0.M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2. The vulnerability arises from a path equivalence issue related to the handling of internal dots in file names ('file.name'), categorized under CWE-44 (Path Equivalence) and CWE-502 (Deserialization of Untrusted Data). This flaw can lead to remote code execution (RCE), information disclosure, or unauthorized modification of uploaded files when certain conditions are met. The vulnerability exploits the behavior of the default servlet in Apache Tomcat when write permissions are enabled (which is disabled by default) and partial PUT support is active (enabled by default). An attacker can leverage this to access or modify security-sensitive files if these files are uploaded to a subdirectory of a public upload directory and the attacker knows the file names. Specifically, partial PUT requests allow an attacker to upload or modify parts of files, potentially injecting malicious content. Remote code execution is possible if the application uses Tomcat's file-based session persistence with the default storage location and includes a vulnerable library that can be exploited via deserialization attacks. This chain allows an attacker to execute arbitrary code on the server without authentication or user interaction. The vulnerability has a CVSS v3.1 score of 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. The Apache Software Foundation has addressed this issue in versions 11.0.3, 10.1.35, and 9.0.99, and users are strongly advised to upgrade. Impact: For European organizations, this vulnerability poses a significant risk due to the widespread use of Apache Tomcat in enterprise web applications, government portals, and critical infrastructure services. Exploitation could lead to unauthorized data disclosure, including sensitive personal and corporate information protected under GDPR, potentially resulting in regulatory penalties and reputational damage. Remote code execution could allow attackers to take full control of affected servers, leading to data breaches, service disruption, or use of compromised systems as a foothold for further attacks. The requirement for write-enabled default servlets and partial PUT support means that some deployments may be more vulnerable depending on their configuration, but misconfigurations are common in complex environments. Mitigation: Beyond upgrading to the patched versions, organizations should audit their Tomcat configurations to ensure the default servlet's write permissions are disabled unless explicitly required. Disable partial PUT support if not needed, as it increases attack surface. Review and restrict upload directories to prevent security-sensitive files from residing under public upload paths. Implement strict access controls and monitoring on file upload endpoints. For applications using file-based session persistence, consider switching to database or memory-based session storage to reduce risk. Additionally, review third-party libraries for deserialization vulnerabilities and apply patches or mitigations such as input validation and deserialization guards. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with rules targeting suspicious PUT requests and anomalous file modifications. Affected Countries: Countries with high adoption of Apache Tomcat in government, finance, and critical infrastructure sectors are most at risk. This includes Germany, the United Kingdom, France, Italy, Spain, and the Netherlands, where Tomcat is commonly used in enterprise and public sector applications. Historical attack patterns show that attackers often target these countries due to their economic importance and regulatory environments. Geopolitical factors, such as increased cyber espionage and ransomware activity targeting European Union member states, further elevate the risk. Organizations in these countries should prioritize remediation efforts. Confidence: 0.95
Potential Impact
European organizations face severe risks from CVE-2025-24813 due to Apache Tomcat's prevalence in critical web applications and infrastructure. Exploitation can lead to unauthorized disclosure of sensitive data, violating GDPR and other privacy regulations, resulting in legal and financial repercussions. Remote code execution enables attackers to compromise entire systems, potentially disrupting services, stealing intellectual property, or launching further attacks within organizational networks. The vulnerability's exploitation requires no authentication or user interaction, increasing the likelihood of successful attacks, especially in environments with misconfigured default servlets or partial PUT enabled. The impact extends to sectors such as finance, healthcare, government, and manufacturing, where Tomcat-based applications are integral to operations and data handling.
Mitigation Recommendations
1. Upgrade Apache Tomcat to versions 11.0.3, 10.1.35, or 9.0.99 immediately to apply the official patch. 2. Audit and disable write permissions on the default servlet unless explicitly required by the application. 3. Disable partial PUT support if not necessary to reduce attack surface. 4. Segregate upload directories to ensure security-sensitive files are not stored under public upload paths. 5. Transition from file-based session persistence to database or memory-based session storage to mitigate deserialization attack vectors. 6. Conduct thorough reviews of third-party libraries for deserialization vulnerabilities and apply necessary patches or mitigations. 7. Implement strict access controls and monitoring on file upload endpoints to detect and block suspicious activities. 8. Deploy Web Application Firewalls (WAF) or Runtime Application Self-Protection (RASP) solutions configured to detect anomalous PUT requests and file modifications. 9. Educate development and operations teams on secure configuration practices for Tomcat and file upload handling.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- apache
- Date Reserved
- 2025-01-24T08:51:50.296Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 687e795da83201eaac11f328
Added to database: 7/21/2025, 5:31:09 PM
Last enriched: 7/21/2025, 5:46:16 PM
Last updated: 7/21/2025, 8:32:34 PM
Views: 3
Related Threats
CVE-2025-7645: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in htplugins Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)
HighCVE-2025-52580: Insertion of sensitive information into log file in Gift Pad Co.,Ltd. "region PAY" App for Android
LowCVE-2025-7644: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in bdthemes Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery
MediumCVE-2025-7495: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cbutlerjr WP-Members Membership Plugin
MediumCVE-2025-6585: CWE-20 Improper Input Validation in WP JobHunt
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.