#VU105485 Input validation error in Apache Tomcat - CVE-2025-24813

Cybersecurity Help s.r.o.

Published: 2025-03-10 | Updated: 2025-05-09

Vulnerability identifier: #VU105485

Vulnerability risk: Critical

CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2025-24813

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Apache Tomcat
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when handling file uploads via HTTP PUT requests. A remote attacker can send a specially crafted HTTP PUT request to the server and gain access to sensitive information or even execute arbitrary code.

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

writes enabled for the default servlet (disabled by default)
support for partial PUT (enabled by default)
a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
attacker knowledge of the names of security sensitive files being uploaded
the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

writes enabled for the default servlet (disabled by default)
support for partial PUT (enabled by default)
application was using Tomcat's file based session persistence with the default storage location
application included a library that may be leveraged in a deserialization attack

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Tomcat: 9.0.0, 9.0.0-M1, 9.0.0-M2, 9.0.0-M3, 9.0.0-M4, 9.0.0-M5, 9.0.0-M6, 9.0.0-M7, 9.0.0-M8, 9.0.0-M9, 9.0.0-M10, 9.0.0-M11, 9.0.0-M12, 9.0.0-M13, 9.0.0-M14, 9.0.0-M15, 9.0.0-M16, 9.0.0-M17, 9.0.0-M18, 9.0.0-M19, 9.0.0-M20, 9.0.0-M21, 9.0.0-M22, 9.0.0-M23, 9.0.0-M24, 9.0.0-M25, 9.0.0-M26, 9.0.0-M27, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.0.14, 9.0.15, 9.0.16, 9.0.17, 9.0.18, 9.0.19, 9.0.20, 9.0.21, 9.0.22, 9.0.23, 9.0.24, 9.0.25, 9.0.26, 9.0.27, 9.0.28, 9.0.29, 9.0.30, 9.0.31, 9.0.32, 9.0.33, 9.0.34, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.47, 9.0.48, 9.0.49, 9.0.50, 9.0.51, 9.0.52, 9.0.53, 9.0.54, 9.0.55, 9.0.56, 9.0.57, 9.0.58, 9.0.59, 9.0.60, 9.0.61, 9.0.62, 9.0.63, 9.0.64, 9.0.65, 9.0.66, 9.0.67, 9.0.68, 9.0.69, 9.0.70, 9.0.71, 9.0.72, 9.0.73, 9.0.74, 9.0.75, 9.0.76, 9.0.77, 9.0.78, 9.0.79, 9.0.80, 9.0.81, 9.0.82, 9.0.83, 9.0.84, 9.0.85, 9.0.86, 9.0.87, 9.0.88, 9.0.89, 9.0.90, 9.0.91, 9.0.92, 9.0.93, 9.0.94, 9.0.95, 9.0.96, 9.0.97, 9.0.98, 10.0.0, 10.0.0-M1, 10.0.0-M2, 10.0.0-M3, 10.0.0-M4, 10.0.0-M5, 10.0.0-M6, 10.0.0-M7, 10.0.0-M8, 10.0.0-M9, 10.0.0-M10, 10.0.0.0-M1, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.0.8, 10.0.9, 10.0.10, 10.0.11, 10.0.12, 10.0.13, 10.0.14, 10.0.15, 10.0.16, 10.0.17, 10.0.18, 10.0.19, 10.0.20, 10.0.21, 10.0.22, 10.0.23, 10.0.24, 10.0.25, 10.0.26, 10.0.27, 10.1.0, 10.1.0-M1, 10.1.0-M2, 10.1.0-M3, 10.1.0-M4, 10.1.0-M5, 10.1.0-M6, 10.1.0-M7, 10.1.0-M8, 10.1.0-M9, 10.1.0-M10, 10.1.0-M11, 10.1.0-M12, 10.1.0-M13, 10.1.0-M14, 10.1.0-M15, 10.1.0-M16, 10.1.0-M17, 10.1.0-M18, 10.1.0-M19, 10.1.0-M20, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.1.6, 10.1.7, 10.1.8, 10.1.9, 10.1.10, 10.1.11, 10.1.12, 10.1.13, 10.1.14, 10.1.15, 10.1.16, 10.1.17, 10.1.18, 10.1.19, 10.1.20, 10.1.21, 10.1.22, 10.1.23, 10.1.24, 10.1.25, 10.1.26, 10.1.27, 10.1.28, 10.1.29, 10.1.30, 10.1.31, 10.1.32, 10.1.33, 10.1.34, 11.0.0, 11.0.0-M1, 11.0.0-M2, 11.0.0-M3, 11.0.0-M4, 11.0.0-M5, 11.0.0-M6, 11.0.0-M7, 11.0.0-M8, 11.0.0-M9, 11.0.0-M10, 11.0.0-M11, 11.0.0-M12, 11.0.0-M13, 11.0.0-M14, 11.0.0-M15, 11.0.0-M16, 11.0.0-M17, 11.0.0-M18, 11.0.0-M19, 11.0.0-M20, 11.0.0-M21, 11.0.0-M22, 11.0.0-M23, 11.0.0-M24, 11.0.0-M25, 11.0.0-M26, 11.0.1, 11.0.2

External links
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.3
https://tomcat.apache.org/security-10.html
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.99
https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
https://lists.apache.org/thread/xl35tnb4979lnk7stnvx9sll1hb68kvf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

IBM Watson Speech Services Cartridge update for Apache Tomcat

Anolis OS update for tomcat

Multiple vulnerabilities in IBM QRadar SIEM

IBM Power Hardware Management Console (HMC) update for Apache Tomcat Server

Anolis OS update for tomcat

Multiple vulnerabilities in Oracle Communications Element Manager

Multiple vulnerabilities in Oracle Communications Policy Management

Multiple vulnerabilities in Oracle SD-WAN Edge

Multiple vulnerabilities in Oracle Communications Session Report Manager

Multiple vulnerabilities in Communications Unified Assurance