- Home
- Alerts & Advisories
- Alerts
- Critical Vulnerability in Apache Tomcat Software
Alerts
Critical Vulnerability in Apache Tomcat Software
24 March 2025
The Apache Software Foundation has released updates addressing a critical vulnerability which affects their Apache Tomcat software. Users and administrators of the affected products are advised to update to the latest versions immediately.
The Apache Software Foundation has released updates addressing a critical vulnerability (CVE-2025-24813) affecting their Apache Tomcat software. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10, with a proof of concept exploit publicly available.
An unauthenticated attacker will be able to view security sensitive files and/or inject content into those files, if the following conditions are met:
Writes enabled for the Default Servlet (disabled by default)
Support enabled for partial PUT (enabled by default)
Security-sensitive uploads occur in a sub-directory of a public upload directory
Attacker possesses knowledge of the names of security sensitive files being uploaded
Security sensitive files are being uploaded using partial PUT
Likewise, an unauthenticated attacker can perform remote code execution (RCE) if the following conditions are met:
Writes enabled for the Default Servlet (disabled by default)
Support enabled for partial PUT (enabled by default)
Application uses default storage location for Tomcat's file based session persistence
Application includes a library that may be leveraged in a deserialisation attack
The vulnerability affects the following versions of Apache Tomcat:
Apache Tomcat 11.0.0-M1 to 11.0.2 (fixed in 11.0.3 or later)
Apache Tomcat 10.1.0-M1 to 10.1.34 (fixed in 10.1.35 or later)
Apache Tomcat 9.0.0.M1 to 9.0.98 (fixed in 9.0.99 or later)
Users and administrators of the affected products are advised to update to the latest versions immediately.
More information available here: