CVE-2025-24813

What is Apache Tomcat?

Apache Tomcat is the world's most widely deployed open-source Java servlet container and web server, running millions of Java web applications globally. It serves as the foundation for countless enterprise applications, APIs, and frameworks (Spring Boot, Spring MVC, and many others embed Tomcat internally). Tomcat handles HTTP request parsing, session management, and servlet execution. Because Tomcat is the runtime for so many applications, vulnerabilities in its core request handling have extremely broad impact across the Java ecosystem.

Overview

CVE-2025-24813 is a critical path equivalence vulnerability (CWE-44, CVSS 9.8) in Apache Tomcat that enables remote code execution under specific, but common, configuration conditions. When Tomcat is configured with partial PUT support (default disabled but enabled in many configurations) AND uses file-based session persistence (common in servlet applications), an unauthenticated attacker can upload a malicious serialized Java object as a partial PUT request. The object is stored as a session file; when a second request triggers session deserialization, arbitrary code executes. Public PoC exploits appeared within days of the March 10, 2025 advisory.

Affected Versions

Technical Details

The vulnerability (CWE-44: Path Equivalence) requires two conditions to be met simultaneously:

Condition 1: Partial PUT is enabled in Tomcat (readonly=false in the DefaultServlet configuration, OR a third-party partial PUT implementation is in use).

Condition 2: The application uses file-based session persistence — sessions are stored as serialized Java objects in files on the Tomcat server's filesystem (configured via PersistentManager with a FileStore).

Attack chain:

1. The attacker sends a partial PUT request (using the Content-Range header) targeting a path that Tomcat treats equivalently to the session storage directory. Due to the path equivalence flaw, Tomcat writes the PUT body into the session file directory.
2. The PUT body contains a malicious Java serialized object (a gadget chain using common libraries like Commons Collections).
3. The attacker sends a second request that includes a JSESSIONID cookie referencing the uploaded session file. Tomcat loads and deserializes the session data, executing the gadget chain and achieving arbitrary code execution as the Tomcat user.

Without both conditions, the impact is reduced to potential information disclosure (partial file read) or denial of service.

Discovery

Reported through Apache's vulnerability disclosure process. Rapid7 published the first detailed technical analysis on March 13, 2025.

Exploitation Context

Public PoC exploits appeared on GitHub within 72 hours of the advisory. CISA added CVE-2025-24813 to the KEV catalog on 1 April 2025, confirming active exploitation. The vulnerability is particularly impactful because file-based session persistence is used by many Java web applications and partial PUT is enabled in various framework and container configurations. No specific threat actor group has been publicly attributed.

Remediation

1. Upgrade Apache Tomcat immediately: 11.0.3+ (for 11.0.x), 10.1.35+ (for 10.1.x), 9.0.99+ (for 9.0.x).
2. Disable partial PUT if it is not required: in web.xml, set readonly=true on the DefaultServlet (the default). Review any custom servlet configurations that enable partial PUT.
3. Switch from file-based to in-memory session persistence if possible: file-based sessions are the required second condition for RCE. In-memory sessions eliminate the deserialization attack surface.
4. If using Spring Boot with embedded Tomcat: ensure you are using a Spring Boot version that bundles a fixed Tomcat release, and rebuild/redeploy your application.
5. Apply Java deserialization protections: configure JVM-level deserialization filters (-Djdk.serialFilter) to block known gadget chains from common libraries.