CVE-2025-24813: Remote Code Execution in Apache Tomcat via Partial PUT Path Equivalence

Open source powers the modern software stack, but its security depends on a shared commitment to finding and fixing weaknesses before they become incidents.

At HeroDevs, that's our mission: secure open source. We do it in two ways:

1. Remediating known CVEs across critical ecosystems, and
2. Proactively researching vulnerabilities before attackers can exploit them.

A critical vulnerability, CVE-2025-24813, was disclosed in Apache Tomcat on March 10, 2025. The vulnerability allows an unauthenticated attacker to achieve remote code execution, read security-sensitive files, or inject content into uploaded files when specific (but not unusual) configurations are in place. The flaw has since been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild exploitation. Apache Tomcat 8.5.x reached end of life before the patch was released, so organizations running 8.5 cannot get an upstream fix.

‍

What is CVE-2025-24813?

CVE-2025-24813 is a path equivalence vulnerability (CWE-44) in the Apache Tomcat default servlet, chained with unsafe deserialization (CWE-502) when Tomcat's file-based session persistence is in use. The bug lives in how Tomcat handles partial PUT requests: uploads that write to a temporary file using an internal-dot path convention before the final object is materialized at the target URL.

An attacker who can reach a Tomcat instance with the default servlet configured for writes and with partial PUT enabled (the default) can:

• Write attacker-controlled content to paths that collide with security-sensitive files, or
• Plant a serialized Java payload that Tomcat later deserializes from the session store, yielding remote code execution if a suitable gadget chain is present on the classpath.

Because the exploit is triggered by an HTTP request with no authentication requirement, it meets the CVSS definition of PR:N, and real-world exploitation has been observed.

‍

CVSS scoring

Two scores exist for CVE-2025-24813. Both agree on the critical rating and the unauthenticated, network-accessible exploit path. They differ on scope.

‍

The Apache vector scores S:C (Scope Changed) on the view that successful exploitation can affect components outside Tomcat's security authority, such as the session store contents or the host file system. NVD scores S:U (Scope Unchanged). Either way: network-reachable, unauthenticated, with high impact on confidentiality, integrity, and availability.

CWEs: CWE-44 (Path Equivalence), CWE-502 (Deserialization of Untrusted Data), CWE-706 (Use of Incorrectly-Resolved Name or Reference).

‍

Who is affected?

This vulnerability affects a wide swath of Apache Tomcat history, including the EOL 8.5 branch.

‍

Apache Tomcat 8.5 reached end of life on 31 March 2024. The Apache Tomcat team has stated it will not check security vulnerability reports against the 8.5 branch, which means no upstream fix for CVE-2025-24813 is coming to 8.5.x, ever. NES for Apache Tomcat provides a secure drop-in replacement for Tomcat 8.5 with CVE-2025-24813 resolved.

‍

Exploit conditions

The information disclosure and file injection path requires all of the following:

• Writes enabled for the default servlet (disabled by default, but commonly enabled for WebDAV-style or upload use cases).
• Support for partial PUT enabled (the default).
• A target URL for security-sensitive uploads that is a sub-directory of a target URL for public uploads.
• Attacker knowledge of the names of security-sensitive files.
• Those security-sensitive files also being uploaded via partial PUT.

The remote code execution path requires all of the following:

• Writes enabled for the default servlet.
• Support for partial PUT enabled.
• The application uses Tomcat's file-based session persistence with the default storage location.
• The application includes a library on the classpath that can be leveraged in a deserialization gadget chain.

The default-servlet write flag is the gating condition. Many Tomcat deployments never enable it. But "many" is not "most": configurations that accept uploads, proxy through Tomcat for WebDAV, or inherit legacy server.xml from older deployments are commonly exposed. CISA's KEV listing confirms that the exposed population is large enough for attackers to find.

‍

Impact

When successfully exploited, CVE-2025-24813 yields:

• Unauthenticated remote code execution in the Tomcat JVM, with the privileges of the Tomcat process. On default installations, that process often has read/write access to the application's deployment directory and file system paths outside the servlet container.
• Disclosure of security-sensitive files placed under the default servlet's write-enabled tree, including credentials, keys, or configuration that was assumed to be out-of-band.
• Tampered file uploads, allowing an attacker to overwrite legitimate files with malicious content before downstream consumers read them.

This is the class of vulnerability that turns a web server into an initial access vector for full host compromise and lateral movement.

‍

Root cause

The vulnerability is rooted in how Tomcat resolved the target path for a partial PUT. Tomcat's default servlet uses an internal naming convention that introduces a dot into the temporary file name during an in-progress upload. The server treated the temporary path and the final target path as equivalent when it should not have, which means:

1. An attacker could PUT content to a path that, once internally normalized, pointed at a security-sensitive location under the same write-enabled directory tree.
2. If the application's session store was configured for file-based persistence in a predictable location, an attacker could write a serialized Java object to a path that Tomcat would later deserialize.
3. If the classpath included a library with an exploitable deserialization gadget chain, deserialization resulted in code execution in the Tomcat process.

The fix in 9.0.99, 10.1.35, and 11.0.3 changed the path normalization behavior so that the partial PUT temporary path cannot collide with the final target path of another resource.

‍

Mitigation guidance

‍

If you cannot patch immediately, disabling default-servlet writes eliminates the precondition entirely. Review every <servlet> entry in your conf/web.xml for the readonly init-param: the value must be true (which is the Tomcat default) for the vulnerable code path to be unreachable.

‍

Taking action

CVE-2025-24813 is a textbook example of why EOL software is a standing compliance and security liability. The vulnerability affects every recent Tomcat major version, but only 9.0, 10.1, and 11.0 received upstream patches. Organizations running Tomcat 8.5 are exposed to an unauthenticated, remotely exploitable critical CVE with no fix coming from the Apache Tomcat project and active exploitation confirmed by CISA.

If your organization runs Apache Tomcat 8.5 in production, NES for Apache Tomcat delivers a secure drop-in replacement with CVE-2025-24813 resolved, along with ongoing patches for the critical CVEs that will continue to land in the Tomcat branch the Apache project no longer maintains.

For the full technical record on this CVE, see the HeroDevs vulnerability directory entry, the Apache Tomcat security advisory, and the GitHub Security Advisory GHSA-83qj-6fr2-vhqg.