Apache Tomcat 9.0.0-9.0.98/10.1.0-10.1.34/11.0.0-11.0.2 Remote Code Execution (CVE-2025-24813)
Overview
Apache Tomcat 9.0.0-9.0.98/10.1.0-10.1.34/11.0.0-11.0.2 Remote Code Execution, tracked as CVE-2025-24813, affects Tomcat deployments where partial PUT support, write-enabled Default Servlet behavior, and session persistence conditions combine into a high-impact vulnerability. Apache Tomcat is a widely used Java servlet container, so affected configurations can expose production web applications and server-side Java environments.
Vulnerability Overview
CVE-2025-24813 is a path equivalence issue involving internal dots in file names, write-enabled Default Servlet behavior, and partial PUT support in Apache Tomcat. Depending on configuration, the issue can lead to sensitive file disclosure, malicious content being added to uploaded files, or remote code execution.
The remote code execution condition requires several factors: writes enabled for the Default Servlet, partial PUT support enabled, Tomcat file-based session persistence using the default storage location, and an application library that can be leveraged in a deserialization attack.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can result in remote code execution, sensitive information disclosure, or modification of uploaded content depending on the affected Tomcat configuration.
CVE-2025-24813 is listed in the CISA Known Exploited Vulnerabilities catalog, which means exposed affected deployments should be treated as urgent remediation targets.
Vulnerability Scope
Apache identifies the affected supported ranges as Tomcat 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Tomcat 8.5.0 through 8.5.100 was end-of-life when the CVE was created but is known to be affected.
Users are recommended to upgrade to Tomcat 11.0.3, 10.1.35, or 9.0.99. The highest-risk deployments are systems with write-enabled Default Servlet behavior and file-based session persistence in the vulnerable configuration.
Lab Focus
This Hackviser lab focuses on understanding how multiple web container behaviors can combine into a remote code execution path. You will practice identifying affected Tomcat versions, recognizing the required configuration conditions, and connecting path equivalence and deserialization risk to Java application server hardening.