Overview
Apache Tomcat's default servlet contains a path equivalence vulnerability when write operations are enabled. An attacker with write access to the upload directory can exploit internal dot handling in file names to execute arbitrary code, disclose sensitive information, or inject malicious content into uploaded files. The vulnerability was disclosed on March 10, 2025. CISA has identified CVE-2025-24813 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Apache Tomcat's default servlet implementation has a path equivalence flaw related to how it processes file names containing internal dots. When write operations are enabled on the default servlet, attackers who have write access to the upload directory can craft specially formatted file names that exploit this path normalization issue. This allows them to write files to unintended locations on the filesystem, potentially achieving remote code execution through JSP upload, reading sensitive files, or modifying application resources.
The vulnerability is classified as CWE-41 (Improper Resolution of Path Equivalence) , CWE-434 (Unrestricted Upload of File with Dangerous Type) andCWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')) .
The vulnerability has received a CVSS v3.1 base score of (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows attackers to: (1) Execute arbitrary code on the server by uploading malicious JSP files that bypass extension filters, (2) Read sensitive information by accessing files outside the intended upload directory, (3) Modify or inject malicious content into application resources, potentially compromising the entire application and underlying system. In scenarios where Tomcat runs with elevated privileges, this could lead to complete system compromise.
Mitigation and workarounds
As temporary workarounds: disable write operations on the default servlet by setting readonly to 'true' in web.xml. this is the default configuration in most tomcat deployments.; restrict access to upload endpoints using http authentication or firewall rules to limit write access to trusted sources only.; implement strict file name validation and filtering to reject file names containing dots or other suspicious patterns. use a whitelist approach for allowed characters.; use a dedicated, isolated upload directory that is not within the web root and configure a separate servlet/application for handling uploads with strict security controls., and configure tomcat to run with minimal privileges using a dedicated, unprivileged user account. this limits the impact of successful exploitation..
CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Additional resources
Source: This report was generated using AI
