Advisory 84: Apache Tomcat Path Equivalence Vulnerability – CVE-2025-24813
Release Date: 1st of April 2025
Impact : HIGH / CRITICAL
TLP Rating: Clear
CERT Vanuatu (CERTVU) and the Department of Communication and Digital Transformation (DCDT) provide the following advisory.
This alert is relevant to Organizations who utilize the above products. This alert is intended to be understood by technical users.
What is it?
Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.
What are the Systems affected?
On March 10, 2025, Apache published a security advisory regarding vulnerability (CVE-2025-24813) imparting the Apache Tomcat Web Server Software in the following versions:
- Apache Tomcat – versions 11.0.0-M1 to 11.0.2
- Apache Tomcat – versions 10.1.0-M1 to 10.1.34
- Apache Tomcat – versions 9.0.0.M1 to 9.0.98
What this means?
This vulnerability could allow a malicious actor to view or inject arbitrary content to security-sensitive files or achieve remote code execution. The exploit does not require authentication and is caused by Tomcat accepting partial PUT requests and it’s default session persistence.
Additionally, Apache states that the following conditions are required for a malicious actor to view or inject content into security sensitive files.
- Write enabled for the default servlet (disabled by default)
- Support for partial PUT (enabled by default)
- A target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- Attacker knowledge of the names of security sensitive files being uploaded
- The security sensitive files also being uploaded via partial PUT
Apache also states that the following conditions are required for a malicious actor to achieve remote code execution
- Write enabled for the default servlet (disabled by default)
- Support for partial PUT (enabled by default)
- Application was using Tomcat’s file based session persistence with the default storage location
- Application included a library that may be leveraged in a deserialization attack
Mitigation process
CERTVU encourages users and administrators to search for indicators of compromise (IOCs) and apply the necessary updates and workarounds. Organizations should review their configurations in determining their risk. They should also verify if they are running any vulnerable versions of Apache Tomcat.
It is recommended for organizations to update to the following versions of Apache Tomcat
- Apache Tomcat – Version 11.0.3 or later
- Apache Tomcat – Version 10.1.35 or later
- Apache Tomcat – Version 9.0.99 or later
Organizations should also review and implement the Cyber Centre’s Top 10 Security Actions with an emphasis on the following:
- Consolidating, monitoring, and defending internet gateways.
- Patch operating systems and applications
- Isolate web-facing applications
- Harden operating systems and applications
References
1.https://www.cisa.gov/known-exploited-vulnerabilities-catalog
2.https://www.cve.org/CVERecord?id=CVE-2025-24813
3.https://www.cyber.gc.ca/en/alerts-advisories/vulnerability-impacting-apache-tomcat-cve-2025-24813
- Download advisory (English): Apache Tomcat Path Equivalence Vulnerability – CVE-2025-24813