This exploit disclosure was originally published by Chaitin Security Emergency Response Center.
Overview
Apache Tomcat is an open-source Java Servlet container and web server that supports Java Servlets, JavaServer Pages (JSP), and other Java-based web applications. It is widely used for developing and deploying enterprise-level web applications.
In March 2025, the Apache Foundation released a security advisory addressing a Remote Code Execution (RCE), information disclosure, or tampering vulnerability (CVE-2025-24813) in Tomcat. The vulnerability affects environments where Partial PUT and DefaultServlet write permissions are enabled, potentially allowing attackers to bypass path validation, access sensitive files, or write specific files to execute malicious code.
As exploiting this vulnerability requires specific conditions, affected users should evaluate the risk based on their setup and determine whether an immediate fix is necessary.
π Vulnerability Description
Root Cause
This vulnerability originates from insecure temporary file naming logic in Tomcatβs DefaultServlet when handling Partial PUT requests (HTTP PUT requests with a Content-Range header). Attackers can craft special request paths to access or overwrite security-sensitive files.
Exploitation Conditions
π Attackers can access or modify sensitive files if all the following conditions are met:
1οΈβ£ DefaultServlet has write permissions enabled (disabled by default).
2οΈβ£ Partial PUT is enabled on the server (enabled by default).
3οΈβ£ The sensitive file is located in a subpath of an allowed upload directory.
4οΈβ£ The attacker knows the exact file path and filename of the sensitive file.
5οΈβ£ The sensitive file was uploaded via Partial PUT.
π Attackers can achieve Remote Code Execution (RCE) if the following conditions are met:
1οΈβ£ DefaultServlet has write permissions enabled (disabled by default).
2οΈβ£ Partial PUT is enabled on the server (enabled by default).
3οΈβ£ Tomcat uses file-based session persistence (non-default; default is memory-based), and the storage location is set to the default path.
4οΈβ£ The application includes an exploitable deserialization library (e.g., Commons-Collections 3.x).
Impact
π Accessing or modifying sensitive files:
Exposing security configuration files, credentials, or encryption keys.
Modifying critical configuration files, disrupting server operation.
π Remote Code Execution (RCE):
Leveraging Tomcatβs file-based session persistence and deserialization vulnerabilities to execute malicious code.
Risk Assessment
- Priority Level: Medium
- Vulnerability Type: Logic flaw
- Severity: High
- Trigger Method: Remote network attack
- Authentication Requirement: None
- System Configuration Requirement:
- Non-default configuration (requires DefaultServlet write permission).
- RCE requires file-based session persistence enabled.
- User Interaction Requirement: None
- Exploit Maturity: POC/EXP not publicly available
- Fix Complexity: Low (official patch available)
β οΈ Affected Versions
Apache Tomcat Version Affected Range
11.x 11.0.0-M1 β€ Apache Tomcat β€ 11.0.2
10.x 10.1.0-M1 β€ Apache Tomcat β€ 10.1.34
9.x 9.0.0-M1 β€ Apache Tomcat β€ 9.0.98
π Mitigation & Fixes
Temporary Workarounds
If an immediate upgrade is not feasible, implement the following mitigation measures to reduce risk:
β
Disable Partial PUT:
Modify allowPartialPut to false in conf/web.xml, then restart Tomcat to apply the changes.
β
Restrict DefaultServlet Write Permissions:
Ensure readonly=true, disable all unauthorized PUT/DELETE requests, and restrict access to sensitive directories.
Permanent Fix (Upgrade)
Apache has released patched versions in its security advisory. Users should upgrade to the latest secure versions immediately:
πΉ Fixed Versions:
- 11.0.3
- 10.1.35
- 9.0.99
π΄ββ οΈ Vulnerability Reproduction
π Timeline
March 10 β Vulnerability publicly disclosed online
March 11 β Chaitin Security Emergency Lab successfully reproduces the vulnerability
March 11 β Chaitin Security Emergency Response Center releases security advisory
For further updates, stay tuned! π
Reference:
[1]. https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Top comments (0)