## https://sploitus.com/exploit?id=9B6A4254-9966-5446-9A0B-E00208613142
# CVE-2025-24813: Apache
## 1. Explanation
Tomcat is vulnerable because of two separate vulnerabilities, the first is a weakness in the DefaultServlet which allows partial puts to write a temp directory
see:
https://github.com/apache/tomcat/blob/f2a274bc00cf73670a614999561c69a391b5e35f/java/org/apache/catalina/servlets/DefaultServlet.java#L608
The second is the FileStore class, which deserializes any .session file in the temp directory
see:
https://github.com/apache/tomcat/blob/05a72ef525e41835aaf5ce3d04122970f4aa8c21/java/org/apache/catalina/session/FileStore.java#L202
## 2. Vulnerable Tomcat Configuration
The application uses Tomcat 10.1.24 (included in Spring-Boot 3.3.0), which is vulnerable to CVE-2025-24813, and configures it with:
- File-based session persistence using `PersistentManager` and `FileStore`
- Re-enable the defaultServlet(`server.servlet.register-default-servlet=true`)
- Read-only mode disabled for the default servlet (`readonly=false`)
## 3. Nuclei Template command
See template: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24813.yaml
cooldown period 60 seconds is needed since it takes a while before the Filestore handler picks up the session file and executes the payload:
`nuclei -target http://localhost:8080/ -t http/cves/2025/CVE-2025-24813.yaml -interactions-cooldown-period 60 -v`