CVE-2025-24813

Path Equivalence: file.Name (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default)

support for partial PUT (enabled by default)
a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcats file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack

Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Weakness

The product accepts path input in the form of internal dot (‘file.ordir’) without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Affected Software

Name	Vendor	Start Version	End Version
Tomcat	Apache	*	9.0.99 (excluding)
Tomcat	Apache	10.1.1 (including)	10.1.35 (excluding)
Tomcat	Apache	11.0.1 (including)	11.0.3 (excluding)
Tomcat	Apache	10.1.0-milestone1 (including)	10.1.0-milestone1 (including)
Tomcat	Apache	10.1.0-milestone10 (including)	10.1.0-milestone10 (including)
Tomcat	Apache	10.1.0-milestone11 (including)	10.1.0-milestone11 (including)
Tomcat	Apache	10.1.0-milestone12 (including)	10.1.0-milestone12 (including)
Tomcat	Apache	10.1.0-milestone13 (including)	10.1.0-milestone13 (including)
Tomcat	Apache	10.1.0-milestone14 (including)	10.1.0-milestone14 (including)
Tomcat	Apache	10.1.0-milestone15 (including)	10.1.0-milestone15 (including)
Tomcat	Apache	10.1.0-milestone16 (including)	10.1.0-milestone16 (including)
Tomcat	Apache	10.1.0-milestone17 (including)	10.1.0-milestone17 (including)
Tomcat	Apache	10.1.0-milestone18 (including)	10.1.0-milestone18 (including)
Tomcat	Apache	10.1.0-milestone19 (including)	10.1.0-milestone19 (including)
Tomcat	Apache	10.1.0-milestone2 (including)	10.1.0-milestone2 (including)
Tomcat	Apache	10.1.0-milestone20 (including)	10.1.0-milestone20 (including)
Tomcat	Apache	10.1.0-milestone3 (including)	10.1.0-milestone3 (including)
Tomcat	Apache	10.1.0-milestone4 (including)	10.1.0-milestone4 (including)
Tomcat	Apache	10.1.0-milestone5 (including)	10.1.0-milestone5 (including)
Tomcat	Apache	10.1.0-milestone6 (including)	10.1.0-milestone6 (including)
Tomcat	Apache	10.1.0-milestone7 (including)	10.1.0-milestone7 (including)
Tomcat	Apache	10.1.0-milestone8 (including)	10.1.0-milestone8 (including)
Tomcat	Apache	10.1.0-milestone9 (including)	10.1.0-milestone9 (including)
Tomcat	Apache	11.0.0-milestone1 (including)	11.0.0-milestone1 (including)
Tomcat	Apache	11.0.0-milestone10 (including)	11.0.0-milestone10 (including)
Tomcat	Apache	11.0.0-milestone11 (including)	11.0.0-milestone11 (including)
Tomcat	Apache	11.0.0-milestone12 (including)	11.0.0-milestone12 (including)
Tomcat	Apache	11.0.0-milestone13 (including)	11.0.0-milestone13 (including)
Tomcat	Apache	11.0.0-milestone14 (including)	11.0.0-milestone14 (including)
Tomcat	Apache	11.0.0-milestone15 (including)	11.0.0-milestone15 (including)
Tomcat	Apache	11.0.0-milestone16 (including)	11.0.0-milestone16 (including)
Tomcat	Apache	11.0.0-milestone17 (including)	11.0.0-milestone17 (including)
Tomcat	Apache	11.0.0-milestone18 (including)	11.0.0-milestone18 (including)
Tomcat	Apache	11.0.0-milestone19 (including)	11.0.0-milestone19 (including)
Tomcat	Apache	11.0.0-milestone2 (including)	11.0.0-milestone2 (including)
Tomcat	Apache	11.0.0-milestone20 (including)	11.0.0-milestone20 (including)
Tomcat	Apache	11.0.0-milestone21 (including)	11.0.0-milestone21 (including)
Tomcat	Apache	11.0.0-milestone22 (including)	11.0.0-milestone22 (including)
Tomcat	Apache	11.0.0-milestone23 (including)	11.0.0-milestone23 (including)
Tomcat	Apache	11.0.0-milestone24 (including)	11.0.0-milestone24 (including)
Tomcat	Apache	11.0.0-milestone25 (including)	11.0.0-milestone25 (including)
Tomcat	Apache	11.0.0-milestone3 (including)	11.0.0-milestone3 (including)
Tomcat	Apache	11.0.0-milestone4 (including)	11.0.0-milestone4 (including)
Tomcat	Apache	11.0.0-milestone5 (including)	11.0.0-milestone5 (including)
Tomcat	Apache	11.0.0-milestone6 (including)	11.0.0-milestone6 (including)
Tomcat	Apache	11.0.0-milestone7 (including)	11.0.0-milestone7 (including)
Tomcat	Apache	11.0.0-milestone8 (including)	11.0.0-milestone8 (including)
Tomcat	Apache	11.0.0-milestone9 (including)	11.0.0-milestone9 (including)
Red Hat Enterprise Linux 10	RedHat	tomcat9-1:9.0.87-5.el10_0	*
Red Hat Enterprise Linux 10	RedHat	tomcat-1:10.1.36-1.el10_0	*
Red Hat Enterprise Linux 8	RedHat	tomcat-1:9.0.87-1.el8_10.3	*
Red Hat Enterprise Linux 8.8 Extended Update Support	RedHat	tomcat-1:9.0.87-1.el8_8.4	*
Red Hat Enterprise Linux 9	RedHat	tomcat-1:9.0.87-2.el9_5.1	*
Red Hat Enterprise Linux 9.2 Extended Update Support	RedHat	tomcat-1:9.0.87-1.el9_2.3	*
Red Hat Enterprise Linux 9.4 Extended Update Support	RedHat	tomcat-1:9.0.87-1.el9_4.3	*
Red Hat JBoss Web Server 5	RedHat	tomcat	*
Red Hat JBoss Web Server 5.8 on RHEL 7	RedHat	jws5-tomcat-0:9.0.87-8.redhat_00008.1.el7jws	*
Red Hat JBoss Web Server 5.8 on RHEL 8	RedHat	jws5-tomcat-0:9.0.87-8.redhat_00008.1.el8jws	*
Red Hat JBoss Web Server 5.8 on RHEL 9	RedHat	jws5-tomcat-0:9.0.87-8.redhat_00008.1.el9jws	*
Red Hat JBoss Web Server 6	RedHat	tomcat	*
Red Hat JBoss Web Server 6.1 on RHEL 8	RedHat	jws6-tomcat-0:10.1.36-6.redhat_00007.1.el8jws	*
Red Hat JBoss Web Server 6.1 on RHEL 9	RedHat	jws6-tomcat-0:10.1.36-6.redhat_00007.1.el9jws	*
Tomcat10	Ubuntu	esm-apps/noble	*
Tomcat10	Ubuntu	noble	*
Tomcat10	Ubuntu	oracular	*
Tomcat10	Ubuntu	upstream	*
Tomcat6	Ubuntu	upstream	*
Tomcat7	Ubuntu	upstream	*
Tomcat8	Ubuntu	upstream	*
Tomcat9	Ubuntu	devel	*
Tomcat9	Ubuntu	esm-apps/bionic	*
Tomcat9	Ubuntu	esm-apps/focal	*
Tomcat9	Ubuntu	esm-apps/jammy	*
Tomcat9	Ubuntu	esm-apps/noble	*
Tomcat9	Ubuntu	focal	*
Tomcat9	Ubuntu	jammy	*
Tomcat9	Ubuntu	noble	*
Tomcat9	Ubuntu	oracular	*
Tomcat9	Ubuntu	plucky	*
Tomcat9	Ubuntu	questing	*
Tomcat9	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-24813
CWE	https://cwe.mitre.org/data/definitions/44.html

Path Equivalence: 'file.name' (Internal Dot)

Weakness

Affected Software

References