Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2025-24813

Path Equivalence: 'file.name' (Internal Dot)

Published: Mar 10, 2025 | Modified: Mar 21, 2025
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
8.6 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2025-24813
CWEhttps://cwe.mitre.org/data/definitions/44.html

Path Equivalence: file.Name (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default)

  • support for partial PUT (enabled by default)
  • a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

  • writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcats file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack

Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Weakness

The product accepts path input in the form of internal dot (‘file.ordir’) without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Affected Software

Name Vendor Start Version End Version
Tomcat Apache 9.0.1 (including) 9.0.99 (excluding)
Tomcat Apache 10.1.1 (including) 10.1.35 (excluding)
Tomcat Apache 11.0.1 (including) 11.0.3 (excluding)
Tomcat Apache 9.0.0-milestone1 (including) 9.0.0-milestone1 (including)
Tomcat Apache 9.0.0-milestone10 (including) 9.0.0-milestone10 (including)
Tomcat Apache 9.0.0-milestone11 (including) 9.0.0-milestone11 (including)
Tomcat Apache 9.0.0-milestone12 (including) 9.0.0-milestone12 (including)
Tomcat Apache 9.0.0-milestone13 (including) 9.0.0-milestone13 (including)
Tomcat Apache 9.0.0-milestone14 (including) 9.0.0-milestone14 (including)
Tomcat Apache 9.0.0-milestone15 (including) 9.0.0-milestone15 (including)
Tomcat Apache 9.0.0-milestone16 (including) 9.0.0-milestone16 (including)
Tomcat Apache 9.0.0-milestone17 (including) 9.0.0-milestone17 (including)
Tomcat Apache 9.0.0-milestone18 (including) 9.0.0-milestone18 (including)
Tomcat Apache 9.0.0-milestone19 (including) 9.0.0-milestone19 (including)
Tomcat Apache 9.0.0-milestone2 (including) 9.0.0-milestone2 (including)
Tomcat Apache 9.0.0-milestone20 (including) 9.0.0-milestone20 (including)
Tomcat Apache 9.0.0-milestone21 (including) 9.0.0-milestone21 (including)
Tomcat Apache 9.0.0-milestone22 (including) 9.0.0-milestone22 (including)
Tomcat Apache 9.0.0-milestone23 (including) 9.0.0-milestone23 (including)
Tomcat Apache 9.0.0-milestone24 (including) 9.0.0-milestone24 (including)
Tomcat Apache 9.0.0-milestone25 (including) 9.0.0-milestone25 (including)
Tomcat Apache 9.0.0-milestone26 (including) 9.0.0-milestone26 (including)
Tomcat Apache 9.0.0-milestone27 (including) 9.0.0-milestone27 (including)
Tomcat Apache 9.0.0-milestone3 (including) 9.0.0-milestone3 (including)
Tomcat Apache 9.0.0-milestone4 (including) 9.0.0-milestone4 (including)
Tomcat Apache 9.0.0-milestone5 (including) 9.0.0-milestone5 (including)
Tomcat Apache 9.0.0-milestone6 (including) 9.0.0-milestone6 (including)
Tomcat Apache 9.0.0-milestone7 (including) 9.0.0-milestone7 (including)
Tomcat Apache 9.0.0-milestone8 (including) 9.0.0-milestone8 (including)
Tomcat Apache 9.0.0-milestone9 (including) 9.0.0-milestone9 (including)
Tomcat Apache 10.1.0-milestone1 (including) 10.1.0-milestone1 (including)
Tomcat Apache 10.1.0-milestone10 (including) 10.1.0-milestone10 (including)
Tomcat Apache 10.1.0-milestone11 (including) 10.1.0-milestone11 (including)
Tomcat Apache 10.1.0-milestone12 (including) 10.1.0-milestone12 (including)
Tomcat Apache 10.1.0-milestone13 (including) 10.1.0-milestone13 (including)
Tomcat Apache 10.1.0-milestone14 (including) 10.1.0-milestone14 (including)
Tomcat Apache 10.1.0-milestone15 (including) 10.1.0-milestone15 (including)
Tomcat Apache 10.1.0-milestone16 (including) 10.1.0-milestone16 (including)
Tomcat Apache 10.1.0-milestone17 (including) 10.1.0-milestone17 (including)
Tomcat Apache 10.1.0-milestone18 (including) 10.1.0-milestone18 (including)
Tomcat Apache 10.1.0-milestone19 (including) 10.1.0-milestone19 (including)
Tomcat Apache 10.1.0-milestone2 (including) 10.1.0-milestone2 (including)
Tomcat Apache 10.1.0-milestone20 (including) 10.1.0-milestone20 (including)
Tomcat Apache 10.1.0-milestone3 (including) 10.1.0-milestone3 (including)
Tomcat Apache 10.1.0-milestone4 (including) 10.1.0-milestone4 (including)
Tomcat Apache 10.1.0-milestone5 (including) 10.1.0-milestone5 (including)
Tomcat Apache 10.1.0-milestone6 (including) 10.1.0-milestone6 (including)
Tomcat Apache 10.1.0-milestone7 (including) 10.1.0-milestone7 (including)
Tomcat Apache 10.1.0-milestone8 (including) 10.1.0-milestone8 (including)
Tomcat Apache 10.1.0-milestone9 (including) 10.1.0-milestone9 (including)
Tomcat Apache 11.0.0-milestone1 (including) 11.0.0-milestone1 (including)
Tomcat Apache 11.0.0-milestone10 (including) 11.0.0-milestone10 (including)
Tomcat Apache 11.0.0-milestone11 (including) 11.0.0-milestone11 (including)
Tomcat Apache 11.0.0-milestone12 (including) 11.0.0-milestone12 (including)
Tomcat Apache 11.0.0-milestone13 (including) 11.0.0-milestone13 (including)
Tomcat Apache 11.0.0-milestone14 (including) 11.0.0-milestone14 (including)
Tomcat Apache 11.0.0-milestone15 (including) 11.0.0-milestone15 (including)
Tomcat Apache 11.0.0-milestone16 (including) 11.0.0-milestone16 (including)
Tomcat Apache 11.0.0-milestone17 (including) 11.0.0-milestone17 (including)
Tomcat Apache 11.0.0-milestone18 (including) 11.0.0-milestone18 (including)
Tomcat Apache 11.0.0-milestone19 (including) 11.0.0-milestone19 (including)
Tomcat Apache 11.0.0-milestone2 (including) 11.0.0-milestone2 (including)
Tomcat Apache 11.0.0-milestone20 (including) 11.0.0-milestone20 (including)
Tomcat Apache 11.0.0-milestone21 (including) 11.0.0-milestone21 (including)
Tomcat Apache 11.0.0-milestone22 (including) 11.0.0-milestone22 (including)
Tomcat Apache 11.0.0-milestone23 (including) 11.0.0-milestone23 (including)
Tomcat Apache 11.0.0-milestone24 (including) 11.0.0-milestone24 (including)
Tomcat Apache 11.0.0-milestone25 (including) 11.0.0-milestone25 (including)
Tomcat Apache 11.0.0-milestone3 (including) 11.0.0-milestone3 (including)
Tomcat Apache 11.0.0-milestone4 (including) 11.0.0-milestone4 (including)
Tomcat Apache 11.0.0-milestone5 (including) 11.0.0-milestone5 (including)
Tomcat Apache 11.0.0-milestone6 (including) 11.0.0-milestone6 (including)
Tomcat Apache 11.0.0-milestone7 (including) 11.0.0-milestone7 (including)
Tomcat Apache 11.0.0-milestone8 (including) 11.0.0-milestone8 (including)
Tomcat Apache 11.0.0-milestone9 (including) 11.0.0-milestone9 (including)
Tomcat10 Ubuntu esm-apps/noble *
Tomcat10 Ubuntu noble *
Tomcat10 Ubuntu oracular *
Tomcat9 Ubuntu esm-apps/bionic *
Tomcat9 Ubuntu esm-apps/focal *
Tomcat9 Ubuntu esm-apps/jammy *
Tomcat9 Ubuntu focal *
Tomcat9 Ubuntu jammy *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use