## https://sploitus.com/exploit?id=7D18273C-34E3-5A00-B425-67EF1C53E606
# CVE-2025-24813 - Apache Tomcat Partial PUT + Deserialization RCE
[](https://nvd.nist.gov/vuln/detail/CVE-2025-24813)
[](https://tomcat.apache.org/)
[](LICENSE)
## 📋 Overview
CVE-2025-24813 is a high‑severity vulnerability in Apache Tomcat that allows **unauthenticated remote code execution** when three conditions are met:
1. The default servlet has write access enabled (`readonly=false`).
2. Partial PUT support is enabled (default).
3. File‑based session persistence is configured (`PersistentManager` with `FileStore`).
An attacker can upload a malicious serialized Java object via a **partial PUT request** (using the `Content-Range` header) into the session storage directory. By then sending a GET request with a crafted `JSESSIONID` cookie, Tomcat deserialises the object and executes arbitrary commands (provided a deserialisation gadget – e.g., `commons-collections` – is present in the classpath).
> **⚠️ Important**
> This vulnerability is **not** present in a default Tomcat installation. It requires specific (and unusual) configuration changes that are typically found only in development or bespoke environments.
## 🎯 Affected Versions
- Apache Tomcat 9.0.90
- Apache Tomcat 10.1.34
- Apache Tomcat 11.0.2
Earlier versions may also be vulnerable if the same misconfigurations exist.
## 🔧 Prerequisites
### Target machine
- Docker & Docker Compose
- Git
### Attacker machine
- Python 3
- `pip` (for `requests` library)
- Java runtime (to run `ysoserial`)
- `netcat` (`nc`)
- `curl`
---
## 🚀 Quick Start (Lab Setup)
### 1. Build the vulnerable Tomcat container (Target)
```bash
git clone https://github.com/beyond-devsecops/CVE-2025-24813.git
cd CVE-2025-24813
chmod +x 0-run-tomcat.sh
bash 0-run-tomcat.sh