CVE-2025-24813 is a critical security vulnerability affecting multiple versions of Apache Tomcat, a widely used Java servlet container. The root cause is a path equivalence issue related to internal dots in filenames (e.g., 'file.name') processed by the default servlet when write operations are enabled. This flaw allows attackers to bypass normal file path restrictions and manipulate file uploads via partial PUT requests, which are enabled by default. If the default servlet's write capability is enabled (disabled by default), and partial PUT support is active, an attacker who knows the names of security-sensitive files can upload or modify these files, leading to information disclosure or injection of malicious content. Furthermore, if the application uses Tomcat's file-based session persistence with the default storage location and includes a library vulnerable to deserialization attacks, the attacker can achieve remote code execution. This is due to the ability to overwrite session files or upload crafted payloads that trigger deserialization vulnerabilities. The vulnerability affects Apache Tomcat versions 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2. End-of-life versions are also affected. The issue is tracked under CWE-44 (Path Equivalence) and CWE-502 (Deserialization of Untrusted Data). The vulnerability has a CVSS v3.1 base score of 10.0, reflecting its critical impact on confidentiality, integrity, and availability without requiring authentication or user interaction. No known exploits are publicly reported yet. The recommended mitigation is upgrading to Apache Tomcat versions 11.0.3, 10.1.35, or 9.0.99, which contain patches addressing this vulnerability.

The impact of CVE-2025-24813 is severe and multifaceted. Organizations running vulnerable Apache Tomcat versions with write-enabled default servlets and partial PUT support risk unauthorized disclosure of sensitive files, modification or injection of malicious content into uploaded files, and potentially full remote code execution. Remote code execution can lead to complete system compromise, enabling attackers to execute arbitrary commands, deploy malware, or move laterally within networks. The vulnerability undermines confidentiality, integrity, and availability of affected systems. Given Apache Tomcat's widespread use in enterprise web applications, government portals, and cloud services, exploitation could disrupt critical services, cause data breaches, and damage organizational reputation. The ease of exploitation (no authentication or user interaction required) and the broad scope of affected versions amplify the threat. Additionally, the reliance on file-based session persistence and vulnerable deserialization libraries in many Java applications increases the risk of remote code execution. Organizations failing to patch promptly may face targeted attacks, especially in sectors relying heavily on Java web infrastructure.

To mitigate CVE-2025-24813, organizations should: 1) Immediately upgrade Apache Tomcat to versions 11.0.3, 10.1.35, or 9.0.99 or later, which contain the security fix. 2) Disable write access to the default servlet unless explicitly required; this is disabled by default and should remain so unless necessary. 3) Consider disabling or restricting partial PUT support if not essential for application functionality. 4) Review and harden file upload directories to ensure sensitive files are not stored in subdirectories accessible via public upload URLs. 5) Audit and update any libraries used for deserialization to versions without known vulnerabilities, or implement strict input validation and deserialization controls. 6) If file-based session persistence is used, consider migrating to alternative session management mechanisms or secure the session storage location with strict access controls. 7) Implement robust monitoring and logging to detect unusual file upload or modification activities. 8) Conduct thorough security testing and code reviews focusing on file upload handling and deserialization processes. These steps go beyond generic patching by addressing configuration and architectural factors that contribute to exploitation risk.