A security vulnerability has been identified in Apache Tomcat, known as CVE-2025-24813, which allows Remote Code Execution (RCE) and information disclosure, potentially compromising many web servers worldwide. Security researchers have urged immediate patching due to active exploitation following the release of a public proof-of-concept exploit.
This vulnerability originates from how Tomcat handles partial PUT requests, which allow files to be uploaded in segments. A flaw in the file-naming mechanism results in improper path handling, making it possible for attackers to bypass security controls, access sensitive files, and execute arbitrary code.
The issue is that Tomcat replaces path separators (/) with dots (.), creating a loophole that attackers can exploit in multiple ways:
• Path Traversal: By crafting file names with ../../, an attacker can upload files outside of the intended directory.
• JSP Injection: If a malicious JSP file is placed in a web-accessible directory, it can be executed remotely, allowing full control of the server.
• Session Manipulation: Attackers could modify session files in CATALINA_BASE/work, altering user authentication and access privileges.
Apache Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0-M1 to 9.0.98 are affected by this vulnerability.
As Tomcat is a widely used platform, this issue could potentially affect thousands of organizations that rely on it for web application hosting.
There are certain conditions that need to be true for attackers to achieve remote code execution. These include:
• The default servlet (readonly= “false”) — (Disabled by default) has writes enabled
• Support for partial PUT is enabled (Enabled by default.)
• Security-sensitive uploads occur in a sub-directory of a public upload directory.
• The attacker has the names of security-sensitive files being uploaded.
• Partial PUT is used to upload these security-sensitive files.
Security analysts have warned that CVE-2025-24813 poses a high risk, as some conditions for exploitation exist by default in many deployments. If the default servlet has write permissions enabled (disabled by default) and partial PUT support is active (enabled by default), attackers could manipulate the system to execute malicious code remotely.
Additionally, if the server uses file-based session persistence along with vulnerable deserialization libraries, this could enable privilege escalation and full server compromise.
For those unable to upgrade immediately, temporary mitigations include:
Disabling Partial PUT Requests:
Set allowPartialPut= “false” in the DefaultServlet configuration.
Enforcing Read-Only Mode:
Ensure readonly= “true” to prevent unauthorized modifications.
Auditing Dependencies:
Remove outdated serialization libraries that could be exploited.
Cybersecurity experts emphasize that delaying the patch could have severe consequences. Given Tomcat’s widespread use, unpatched servers could become targets for data breaches, ransomware, or unauthorized access.
A member of the Apache Tomcat Security Team commented:
“This vulnerability underscores the importance of reviewing security settings, especially when dealing with file uploads and session management in production environments.”
Since the proof-of-concept is available now, delaying patches is not an option. Organizations are advised to follow best security practices by keeping their servers updated, restricting unnecessary file uploads, and monitoring for unusual system behaviour.
