CVE-2025-24813 is a critical vulnerability in Apache Tomcat, a widely used open-source Java Servlet Container developed by the Apache Software Foundation. The vulnerability arises from a path equivalence issue involving internal dots in file names ('file.name'), classified under CWE-44 (Path Equivalence) and CWE-502 (Deserialization of Untrusted Data). This flaw affects multiple versions of Apache Tomcat, specifically from 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, 9.0.0.M1 through 9.0.98, and also older EOL versions such as 8.5.0 through 8.5.100. The vulnerability is linked to the Default Servlet's handling of file uploads when write permissions are enabled (which is disabled by default) and partial PUT support is active (enabled by default). The vulnerability enables attackers to exploit the path equivalence of files with internal dots to perform unauthorized actions under certain conditions. If the Default Servlet is write-enabled and partial PUT requests are supported, an attacker who knows the names of security-sensitive files being uploaded can manipulate uploads to either view sensitive files, inject malicious content into them, or in more severe cases, achieve remote code execution (RCE). RCE is possible when the application uses Tomcat's file-based session persistence with the default storage location and includes a library vulnerable to deserialization attacks. This chain allows attackers to execute arbitrary code remotely without authentication or user interaction. The vulnerability's CVSS v3.1 score is 9.8 (critical), reflecting its high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. The Apache Software Foundation recommends upgrading affected Tomcat versions to 11.0.3, 10.1.35, or 9.0.99, where the issue is fixed. No known exploits are currently reported in the wild, but the severity and conditions for exploitation warrant immediate attention.

For European organizations, this vulnerability poses a significant risk due to Apache Tomcat's widespread use in enterprise web applications, government portals, and critical infrastructure services. Exploitation could lead to unauthorized disclosure of sensitive data, including personal data protected under GDPR, potentially resulting in regulatory fines and reputational damage. Remote code execution could allow attackers to take full control of affected servers, leading to data breaches, service disruption, or use of compromised systems as pivot points for further attacks within networks. Organizations relying on Tomcat for session persistence and file uploads are particularly vulnerable. Given the default servlet write permission is disabled by default, misconfigurations or custom deployments enabling this feature increase risk. The impact extends to availability if attackers modify or delete critical files, disrupting business operations. The vulnerability's exploitation could also facilitate supply chain attacks if used to compromise software build or deployment pipelines hosted on Tomcat servers.

1. Immediate upgrade of Apache Tomcat to fixed versions 11.0.3, 10.1.35, or 9.0.99 is the most effective mitigation. 2. Audit and disable write permissions for the Default Servlet unless explicitly required; this setting is disabled by default and should remain so unless necessary. 3. Disable or restrict support for partial PUT requests if not needed, as this feature is enabled by default and is a key enabler of the exploit. 4. Review and harden file upload directories to ensure that security-sensitive files are not stored in subdirectories accessible via public upload URLs. 5. Implement strict access controls and monitoring on upload endpoints to detect anomalous partial PUT requests or unusual file modifications. 6. For applications using file-based session persistence, consider migrating to alternative session management methods or secure the default storage location with strict permissions. 7. Conduct code reviews and dependency checks to identify and update libraries vulnerable to deserialization attacks, reducing the risk of RCE. 8. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with rules targeting suspicious file upload patterns and path traversal attempts. 9. Regularly monitor security advisories from Apache and apply patches promptly to minimize exposure windows.