A serious security vulnerability has been identified in Apache Tomcat, potentially exposing servers to remote code execution (RCE), information disclosure, and data corruption. The vulnerability, designated as CVE-2025-24813, affects multiple versions of the widely used open-source web server and servlet container.
The Apache Software Foundation disclosed the vulnerability on March 10, 2025, and has released patched versions to address the security flaw. The vulnerability stems from how Tomcat implements partial PUT requests, where "the original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by '.'," according to the advisory.
This vulnerability can be exploited in two primary scenarios:
In the first scenario, attackers could view or modify sensitive files if several conditions align: the default servlet has writes enabled (disabled by default), partial PUT support is active (enabled by default), security-sensitive uploads target a subdirectory of public uploads, and the attacker knows the names of sensitive files being uploaded via partial PUT.
More concerningly, if a server has writes enabled for the default servlet, partial PUT support active, uses Tomcat's file-based session persistence with default storage location, and includes a library vulnerable to deserialization attacks, attackers could potentially execute arbitrary code remotely.
The vulnerability affects:
- Apache Tomcat 11.0.0-M1 through 11.0.2
- Apache Tomcat 10.1.0-M1 through 10.1.34
- Apache Tomcat 9.0.0.M1 through 9.0.98
Security experts emphasize the severity of this vulnerability, particularly because partial PUT support is enabled by default in affected versions, potentially leaving many production servers exposed if not promptly patched.
The Apache Software Foundation strongly recommends that organizations using affected versions immediately upgrade to Apache Tomcat 11.0.3, 10.1.35, or 9.0.99 or later, depending on their current version.
The vulnerability was discovered by COSCO Shipping Lines DIC and security researcher sw0rd1ight, who responsibly disclosed the issue to the Apache Software Foundation.
Systems administrators should prioritize patching this vulnerability, as it represents a significant security risk that could lead to both data breaches and complete server compromise.
The combination of information disclosure and remote code execution capabilities makes this a particularly dangerous vulnerability if left unaddressed.