CVE-2025-24813 is a critical vulnerability in Apache Tomcat that allows remote attackers to execute arbitrary code under specific, non-default configurations.
It affects Tomcat versions 9.0.0 through 9.0.98, 10.1.0 through 10.1.34, and 11.0.0 through 11.0.2, and has already been observed in active exploitation attempts.
At the core of this issue is a path equivalence flaw, triggered when Tomcat mishandles internal dot (.) characters in file paths. If certain conditions are met, attackers can exploit the flaws to upload crafted files, trigger deserialization, and execute remote code.
While the default configuration protects most deployments, environments with modified servlet settings or legacy features enabled could be exposed.
In this article, we break down how CVE-2025-24813 works, which setups are at risk, and how to patch and harden your Tomcat deployment to close this vulnerability for good.
CVE-2025-24813 at a Glance: What You Need to Know?
| Attribute | Details |
| CVE ID | CVE-2025-24813 |
| Vendor | Apache Software Foundation |
| Product | Apache Tomcat |
| Affected Versions | 9.0.0–9.0.98, 10.1.0–10.1.34, 11.0.0–11.0.2 |
| Vulnerability Type | Path Equivalence + Deserialization (RCE) |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Remote exploitation via crafted PUT requests and path manipulation |
| Exploit Status | Confirmed exploitation in the wild (source: Rapid7 ETR, March 2025) |
| Patch Available | Yes. Fixed in versions 9.0.99, 10.1.35, and 11.0.3 |
| Quick Fix | Upgrade Tomcat to a patched version; disable partial PUT; review servlet config |
Why This Vulnerability Demands Immediate Action?
CVE-2025-24813 is a critical Apache Tomcat vulnerability that enables remote code execution, but only under a very specific set of conditions. That nuance is what makes it dangerous: teams may assume they’re safe based on default configurations, while in reality, their deployment could be exposed.
The vulnerability targets deployments where all of the following are true:
- Partial PUT requests are enabled (enabled by default).
- The default servlet has write permissions (disabled by default, but often enabled in custom setups).
- File-based session persistence is in use, using the default storage path.
- A deserialization vulnerability exists in a loaded library.
While exploitation requires this configuration, many legacy or customized Tomcat environments still meet them. And with active scanning observed in the wild, attackers are already probing for exactly this type of misconfiguration.
For any organization running Apache Tomcat — especially as part of web-facing, integration-heavy, or internal middleware infrastructure — this is a patch-now situation. A successful exploit could result in full system compromise and lateral movement inside the network.
How to Fix CVE-2025-24813?
To fully mitigate CVE-2025-24813, security teams should take the following immediate steps:
#1. Upgrade to a patched version of Apache Tomcat
The most reliable fix is to upgrade to a secure version of Tomcat that addresses the vulnerability.
- For 9.0.x users: upgrade to 9.0.99 or later.
- For 10.1.x users: upgrade to 10.1.35 or later.
- For 11.0.x users: upgrade to 11.0.3 or later.
These releases remove the vulnerable path handling logic and improve input sanitization.
#2. Disable partial PUT support if not required
If your application does not rely on partial PUT requests, disable support for them. This reduces the attack surface significantly and helps block known exploitation vectors.
#3. Review and restrict servlet write permissions
Ensure the default servlet does not have write access unless explicitly needed. This permission is disabled by default, but may be enabled in legacy or custom deployments.
#4. Audit for file-based session persistence
If Tomcat is configured to use file-based session persistence, especially with default storage paths, verify that those directories are locked down and monitored. Consider using a different session persistence strategy if appropriate.
#5. Review application dependencies for deserialization risks
This vulnerability can be weaponized only if a deserialization flaw exists in a bundled library. Run a full dependency scan (e.g., using SBOM tools or SCA platforms) to identify and patch known deserialization issues.
Hardening Your Environment After CVE-2025-24813: 4 Steps to Long-Term Protection
Patching CVE-2025-24813 is critical, but it’s only part of the solution. This vulnerability is a reminder that even widely used platforms like Tomcat can introduce high-impact risks when configurations drift or legacy behaviors linger. Long-term protection comes from hardening your infrastructure — not just fixing one CVE.
Here are four long-term moves every Tomcat administrator and security team should consider.
1. Lock down HTTP methods across the stack
Partial PUT is rarely needed in most web apps — but often left enabled. Review your web.xml, reverse proxy configs, and load balancers to explicitly disable unsupported HTTP methods like PUT, TRACE, and OPTIONS. This cuts off entire classes of attack vectors early.
2. Audit all file write permissions in your servlet containers
Ensure your default servlet, static file handlers, and custom servlets don’t have unnecessary write access. File-level permissions at the OS level, combined with security manager policies (if used), help prevent unauthorized uploads, even if other logic fails.
3. Monitor and validate session storage configurations
If you’re using file-based session persistence, restrict access to those directories, enable audit logging, and monitor for unusual file creation. Better yet, consider switching to memory-based or database-backed sessions that are less susceptible to file manipulation attacks.
4. Scan for deserialization risks in your application stack
Tomcat itself isn’t vulnerable to deserialization attacks, but many third-party Java libraries are. You can use Software Composition Analysis (SCA) tools to detect risky libraries, and enforce SBOM tracking to know what’s running in every environment. Block known exploit chains before they can be linked.
Final Thoughts
CVE-2025-24813 highlights a truth that many security teams already know: even mature platforms like Tomcat can expose serious risks when configuration drift and legacy defaults are overlooked.
The good news? Most environments can eliminate this vulnerability with a combination of targeted patching, smart configuration reviews, and improved visibility into application behavior.
At Datacipher Solutions, we help enterprises do exactly that. Our security team works with complex environments to identify hidden exposure points, accelerate patch cycles, and strengthen infrastructure before attackers find a way in.
Want to explore more vulnerabilities? Browse our latest CVE coverage here. Or get in touch if you’d like help assessing your exposure to CVE-2025-24813 and closing it before attackers get there first.
