Apache Tomcat vulnerability CVE-2025-24813

Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet

The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by ".".

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
• attacker knowledge of the names of security sensitive files being uploaded
• the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• application was using Tomcat's file based session persistence with the default storage location
• application included a library that may be leveraged in a deserialization attack

Please refer to the link below for more information.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24813 

Affected Apache Tomcat version

• from 11.0.0-M1 through 11.0.2
• from 10.1.0-M1 through 10.1.34
• from 9.0.0.M1 through 9.0.98

Vulnerability is fixed with the following Apache Tomcat versions

• 11.0.3 or later
• 10.1.35 or later
• 9.0.99 or later

For reference - Apache Tomcat vulnerabilities

• https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.99 
• https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.35
• https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.3 

If your running Tanzu Platform please review Impact of Tomcat CVE-2025-24813 on Tanzu Platform