⚠ Actively exploited
Added to CISA KEV on 2025-04-01. Federal agencies required to patch by 2025-04-22. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-24813

CWE-44CWE-502Deserialization of Untrusted DataCWE-706Use of Incorrectly-Resolved NameCWE-4127 documents21 sources
Severity
9.8CRITICAL
EPSS
94.2%
top 0.08%
CISA KEV
KEV
Added 2025-04-01
Due 2025-04-22
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
Apache TomcatApache Software Foundation Apache TomcatDebian Debian Linux
Timeline
PublishedMar 10
KEV addedApr 1
KEV dueApr 22
Latest updateJul 15
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

NVDapache/tomcat10.1.110.1.35+4
Mavenorg.apache.tomcat:tomcat-catalina11.0.0-M111.0.3+3
Mavenorg.apache.tomcat.embed:tomcat-embed-core11.0.0-M111.0.3+3
CVEListV5apache_software_foundation/apache_tomcat11.0.0-M111.0.2+3
Debiantomcat9< 9.0.43-2~deb11u12+3

Also affects: Debian Linux 11.0

🔴Vulnerability Details

6
OSV
Tomcat vulnerability2025-05-26
CVEList
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT2025-03-10
OSV
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT2025-03-10
OSV
CVE-2025-24813: Path Equivalence: 'file2025-03-10
GHSA
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT2025-03-10

💥Exploits & PoCs

2
Exploit-DB
Apache Tomcat 11.0.3 - Remote Code Execution2025-04-07
Nuclei
Apache Tomcat Path Equivalence - Remote Code Execution

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Path Equivalence (CVE-2025-24813)2025-03-12

📋Vendor Advisories

7
Oracle
Oracle Oracle Hospitality Applications Risk Matrix: Next-Gen SPMS (Apache Tomcat) — CVE-2025-248132025-07-15
Ubuntu
Tomcat vulnerability2025-05-26
Ubuntu
Tomcat vulnerability2025-05-21
Oracle
Oracle Oracle Commerce Risk Matrix: Content Acquisition System (Apache Tomcat) — CVE-2025-248132025-04-15
CISA
Apache Tomcat Path Equivalence Vulnerability2025-04-01

🕵️Threat Intelligence

7
Unit42
Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack2025-07-03
Unit42
Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack2025-07-03
Wiz
Crying Out Cloud Newsletter - April 2025 | Wiz2025-04-01
Bleepingcomputer
Critical RCE flaw in Apache Tomcat actively exploited in attacks2025-03-17
Recorded Future
Apache Tomcat: CVE-2025-24813: Active Exploitation

💬Community

1
HackerOne
CVE-2025-24813: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet2025-04-27