By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-24813

Remote Code Execution
Affects
Apache Tomcat
in
Apache Tomcat
No items found.
Versions
>=9.0.0.M1 <9.0.99, >=10.1.0-M1 <10.1.35, >=11.0.0-M1 <11.0.3
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It implements several Java Enterprise Edition (Java EE) specifications including Java Servlet, JavaServer Pages (JSP), and WebSocket, allowing it to run Java web applications. Tomcat is widely used in both development and production environments due to its lightweight nature, ease of configuration, and compatibility with various Java applications.

A Remote Code Execution (RCE) / Information Disclosure vulnerability (CVE-2025-24813) has been identified in Apache Tomcat. This vulnerability allows attackers to store data in a user session that will be deserialized when the session data is later retrieved.

A Remote Code Execution vulnerability is a security flaw that allows an attacker to execute arbitrary code on a target system remotely. This type of vulnerability is particularly dangerous because it can enable attackers to take full control of a system, steal data, install malware, or disrupt services.

This issue affects multiple versions below 11.0.2.

Details

Module Info

  • Product: Apache Tomcat
  • Affected packages: tomcat-embed-core, tomcat-catalina
  • Affected versions: >=9.0.0.M1 <9.0.99, >=10.1.0-M1 <10.1.35, >=11.0.0-M1 <11.0.3
  • GitHub repository: https://github.com/apache/tomcat
  • Fixed in: NES 8.5.101, 9.0.99, 10.1.35, and 11.0.3

Vulnerability Info

An attacker can exploit an Apache Tomcat server by uploading a file using a partial HTTP PUT request. Tomcat stores the file in the session storage directory on the local filesystem where the server is running.

If the upload target is a directory containing security-sensitive files and that directory is a subdirectory of a publicly accessible upload location, the attacker may gain unauthorized access or inject malicious content into these sensitive files.

If the uploaded file contains serialized Java code, retrieving the session data will trigger deserialization and execution of its contents. If the file includes malicious Java code, this could lead to Remote Code Execution (RCE).

A Tomcat server is vulnerable if configuration has been applied to change default behavior, including: 

  • Enabling writes to the default servlet
  • Persisting session data to a storage location on the local file system

Mitigation

Apache Tomcat 8.5.x versions below or equal to 8.5.100 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Disable writes to the default servlet.
  • Disable partial HTTP PUT requests.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • Information Disclosure: COSCO Shipping Lines DIC
  • Remote Code Execution: sw0rd1ight

Pink arrow
Pink arrow
CVE-2024-34750
CVE-2024-38286
CVE-2024-50379
CVE-2024-52316
CVE-2024-52317
CVE-2024-54677
CVE-2024-56337
CVE-2025-31650
CVE-2025-48988
CVE-2025-49124
CVE-2025-49125
CVE-2025-52434
CVE-2025-52520
CVE-2025-53506
CVE-2025-24813
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-24813
PROJECT Affected
Apache Tomcat
Versions Affected
>=9.0.0.M1 <9.0.99, >=10.1.0-M1 <10.1.35, >=11.0.0-M1 <11.0.3
Published date
July 30, 2025
≈ Fix date
January 1, 2025
Fixed in
NES for Apache Tomcat
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Critical
Category
Remote Code Execution
Sign up for the latest vulnerability alerts fixed in
NES for Apache Tomcat
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.