CVE-2025-24813 is a critical vulnerability in Apache Tomcat stemming from a path equivalence issue involving internal dots in file names ('file.name'). This flaw affects Apache Tomcat versions from 8.5.0 through 11.0.2 and allows attackers to perform remote code execution (RCE), information disclosure, or inject malicious content into uploaded files via the default servlet when certain conditions are met. The vulnerability arises when the default servlet has write permissions enabled (which is disabled by default) and supports partial PUT requests (enabled by default). An attacker can exploit this by targeting URLs where security-sensitive files are uploaded as subdirectories of public upload directories, combined with knowledge of file names and partial PUT support. For RCE, the application must use Tomcat's file-based session persistence with the default storage location and include a library vulnerable to deserialization attacks. The vulnerability leverages CWE-44 (Path Equivalence) and CWE-502 (Deserialization of Untrusted Data), enabling attackers to bypass security controls by manipulating file paths with internal dots, leading to unauthorized file access or code execution. The CVSS v3.1 score is 10.0 (critical), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability with scope change. No known exploits are currently reported in the wild, but the severity demands urgent attention. The recommended mitigation is upgrading to Apache Tomcat versions 11.0.3, 10.1.35, or 9.0.99, which address the issue.

For European organizations, the impact of CVE-2025-24813 is severe. Exploitation can lead to full remote code execution on affected servers, allowing attackers to take control of web applications, steal sensitive data, manipulate or delete files, and disrupt services. Information disclosure risks expose confidential business or personal data, potentially violating GDPR and other data protection regulations, leading to legal and financial consequences. Organizations using default servlet write permissions and partial PUT support in Tomcat are particularly vulnerable, especially those relying on file-based session persistence and vulnerable deserialization libraries. Critical sectors such as finance, healthcare, government, and telecommunications that rely heavily on Java-based web applications and Tomcat servers face heightened risks. The ability to execute code remotely without authentication or user interaction increases the likelihood of automated exploitation and widespread compromise. This vulnerability could facilitate ransomware deployment, espionage, or sabotage, impacting availability and trust in digital services across Europe.

1. Immediately upgrade Apache Tomcat to versions 11.0.3, 10.1.35, or 9.0.99, which contain patches for this vulnerability. 2. Disable write permissions on the default servlet unless explicitly required; this is disabled by default and should remain so unless necessary. 3. Disable or restrict support for partial PUT requests if not needed, as this feature is enabled by default and is a key enabler of the exploit. 4. Review and harden file upload directories to ensure security-sensitive files are not stored in subdirectories accessible via public upload URLs. 5. Avoid using file-based session persistence with default storage locations; consider alternative session management strategies. 6. Audit and update all third-party libraries to eliminate deserialization vulnerabilities that could be chained with this exploit. 7. Implement strict access controls and monitoring on upload endpoints to detect anomalous PUT requests or unusual file modifications. 8. Conduct thorough code reviews and penetration testing focusing on file upload and session persistence mechanisms. 9. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious path traversal or partial PUT requests. 10. Maintain an incident response plan to quickly address any exploitation attempts.