Apache Tomcat, Path Equivalence Vulnerability, CVE-2025-24813 (Critical)

By /

How the CVE Works:

CVE-2025-24813 is a critical vulnerability in Apache Tomcat that arises due to path equivalence issues involving the `file.Name` parameter, specifically when handling internal dots (e.g., /path/to/./file). This flaw allows attackers to exploit the default servlet’s partial PUT functionality, which is enabled by default. When write permissions are enabled for the default servlet (disabled by default), an attacker can manipulate file paths to either disclose sensitive information, inject malicious content into uploaded files, or execute remote code. The vulnerability is particularly dangerous when combined with file-based session persistence and deserialization attacks, as it can lead to full remote code execution. Affected versions include Apache Tomcat 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Upgrading to versions 11.0.3, 10.1.35, or 9.0.99 mitigates the issue.

DailyCVE Form:

Platform: Apache Tomcat
Version: 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98
Vulnerability: Path Equivalence
Severity: Critical
Date: 03/10/2025

What Undercode Say:

Exploitation:

  1. Exploit Path Equivalence: Attackers can craft malicious URLs with internal dots (e.g., /path/to/./sensitive_file) to bypass security checks.
  2. Partial PUT Abuse: Use the default servlet’s partial PUT support to overwrite or inject content into sensitive files.
  3. Deserialization Attack: Combine with file-based session persistence to execute arbitrary code via deserialization vulnerabilities.

Protection:

  1. Upgrade: Immediately upgrade to Apache Tomcat 11.0.3, 10.1.35, or 9.0.99.
  2. Disable Partial PUT: Disable partial PUT support in the default servlet configuration.
  3. Restrict Write Permissions: Ensure write permissions are disabled for the default servlet unless absolutely necessary.
  4. Session Persistence: Avoid using file-based session persistence or secure the storage location.
  5. Input Validation: Implement strict input validation to prevent path manipulation.

Commands:

1. Check Tomcat Version:

catalina.sh version

2. Disable Partial PUT:

<servlet>
<servlet-name>default</servlet-name>
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
</servlet>

3. Upgrade Tomcat:

wget https://downloads.apache.org/tomcat/tomcat-11/v11.0.3/bin/apache-tomcat-11.0.3.tar.gz
tar -xzf apache-tomcat-11.0.3.tar.gz

Code Snippets:

1. Validate File Paths:

String safePath = Paths.get(userInput).normalize().toString();
if (!safePath.startsWith("/safe/directory/")) {
throw new SecurityException("Invalid file path");
}

2. Secure Session Persistence:

System.setProperty("catalina.base", "/secure/path");

Analytics:

  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Impact: Confidentiality, Integrity, Availability
    By following these steps, organizations can mitigate the risks associated with CVE-2025-24813 and secure their Apache Tomcat deployments.

References:

Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top