Critical Vulnerability in Apache Tomcat Software

The Apache Software Foundation has released updates addressing a critical vulnerability (CVE-2025-24813) affecting their Apache Tomcat software. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10, with a proof of concept exploit publicly available.

An unauthenticated attacker will be able to view security sensitive files and/or inject content into those files, if the following conditions are met: 

• Writes enabled for the Default Servlet (disabled by default)

• Support enabled for partial PUT (enabled by default)

• Security-sensitive uploads occur in a sub-directory of a public upload directory 

• Attacker possesses knowledge of the names of security sensitive files being uploaded 

• Security sensitive files are being uploaded using partial PUT

Likewise, an unauthenticated attacker can perform remote code execution (RCE) if the following conditions are met:

• Writes enabled for the Default Servlet (disabled by default)

• Support enabled for partial PUT (enabled by default)

• Application uses default storage location for Tomcat's file based session persistence  

• Application includes a library that may be leveraged in a deserialisation attack

The vulnerability affects the following versions of Apache Tomcat:

• Apache Tomcat 11.0.0-M1 to 11.0.2 (fixed in 11.0.3 or later)

• Apache Tomcat 10.1.0-M1 to 10.1.34 (fixed in 10.1.35 or later)

• Apache Tomcat 9.0.0.M1 to 9.0.98 (fixed in 9.0.99 or later)

Users and administrators of the affected products are advised to update to the latest versions immediately.

More information available here:

https://tomcat.apache.org/security.html

https://www.greynoise.io/blog/active-exploitation-critical-apache-tomcat-rce-vulnerability-cve-2025-24813

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-24813