--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: The Cybersecurity Service for the Union institutions, bodies, offices and agencies title: 'Critical Vulnerability in Apache Tomcat' number: '2025-014' version: '1.0' original_date: '2025-04-03' date: '2025-04-03' --- _History:_ * _03/04/2025 --- v1.0 -- Initial publication_ # Summary On March 10, 2025, Apache released a security advisory [1] regarding a critical vulnerability affecting the Apache Tomcat product. It is recommended updating the affected assets to a fixed version of Apache Tomcat. # Technical Details The vulnerability **CVE-2025-24813**, with a CVSS score of 9.8, lies in the Apache Tomcat’s partial PUT feature. Under specific circumstances, successful exploitation allows attackers to execute code remotely on target systems via unsafe deserialisation [1,2]. An attacker could view security sensitive files and/or inject content into those files if all of the following are true: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) _Note: other conditions are listed by the vendors, but disputed by researchers._ An attacker could achieve remote code execution if all of the following are true: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application is using Tomcat's file-based session persistence (disabled by default) with the default storage location - application included a library that may be leveraged in a deserialisation attack (this is the case for many Java applications) # Affected Products The following versions of Apache Tomcat are affected: - Apache Tomcat 11.0.0-M1 to 11.0.2 (fixed in 11.0.3 or later) - Apache Tomcat 10.1.0-M1 to 10.1.34 (fixed in 10.1.35 or later) - Apache Tomcat 9.0.0.M1 to 9.0.98 (fixed in 9.0.99 or later) # Recommendations CERT-EU recommends updating the affected products to the latest version. # References [1] [2]