Impact of Tomcat CVE-2025-24813 on Tanzu Platform
Article ID: 391592
Updated On: 03-21-2025
Products
Issue/Introduction
Apache Foundation published details on remote code execution (RCE) vulnerability in Tomcat, CVE-2025-24813. Tomcat is embedded in various Tanzu Platform products. This article outlines the impact and exposure of this CVE across Tanzu Platform.
Resolution
The following Tanzu Platform components use Apache Tomcat and may be vulnerable or report as false positive for CVE-2025-24813 -
Java Buildpack
Java Buildpack v4.79+ (included in Tanzu Platform Cloud Foundry 10.0.3, 6.0.13, 4.0.33) packages Tomcat v10.1.35 which contains the fix for vulnerability. Upgrading the version of Tanzu Platform Cloud Foundry is the preferred method to remediate any exposure from Java Buildpack.
Alternatively, you can download the latest Java Buildpack from Broadcom Support Portal and either override the default buildpack version or manually set buildpack used by application.
Spring Boot
Spring Boot v3.2.13 and v3.3.9 contains a patched version of Tomcat (10.1.36) with vulnerability fix.
Alternatively you can bump the Tomcat version dependency in application pom.xml by specifying a version with fix:
<tomcat.version>9.0.99+</tomcat.version>
<tomcat.version>10.1.35+</tomcat.version>
<tomcat.version>11.0.3+</tomcat.version>
Note: Spring Boot does not use Tomcat's servlet by default, so for CVE-2025-24813 to affect Spring Boot Tomcat, the application would have to set server.servlet.register-default-servlet=true
Platform Components (UAA, Credhub and Bosh/Ops Manager)
UAA, credhub and Bosh/Ops Manager does not meet all the conditions required to be vulnerable to CVE-2025-24813.
There exists a false positive where this vulnerability may be flagged in UAA, but no actual security vulnerability exists in our current setup. In order to mitigate false positive,we recommend upgrading to UAA v77.20.3 which is part of these TPCF releases: 10.0.3, 6.0.13, 4.0.33
Feedback
