## https://sploitus.com/exploit?id=PACKETSTORM:189897
CVE-2025-24813 Potential RCE and/or information disclosure and/or
information corruption with partial PUT
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98
Description:
The original implementation of partial PUT used a temporary file based
on the user provided file name and path with the path separator replaced
by ".".
If all of the following were true, a malicious user was able to view
security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory
of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being
uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform
remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with
the default storage location
- application included a library that may be leveraged in a
deserialization attack
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.3 or later
- Upgrade to Apache Tomcat 10.1.35 or later
- Upgrade to Apache Tomcat 9.0.99 or later
Credit:
Information disclosure/corruption: COSCO Shipping Lines DIC
Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight)
History:
2025-03-10 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html