A recent disclosure that affects Apache Tomkat has come under active exploitation in the wild after the release of a public proof-off-concept (POC) 30 hours after public disclosure.
Pulpy, tracked as Cve-2025-24813Impresses the versions below –
- Apache Tomkat 11.0.0-M1 to 11.0.2
- Apache Tomkat 10.1.0-M1 to 10.1.34
- Apache Tomkat 9.0.0-M1 to 9.0.98
This disturbed code is worrying about the case of execution or information disclosure when specific conditions are met –
- The default writes competent for the serve (disabled by default)
- Support for partial put (enabled by default)
- A target for safety sensitive uploads URL that is a target URL for public uploads
- Attacker knowledge of the names of security sensitive files being uploaded
- Security sensitive files are also being uploaded through partial put
Successful exploitation may allow a malicious user to view security sensitive files or inject arbitrary materials in those files through put requests.
Additionally, an attacker can achieve distance code execution if all the following conditions are correct –
- The default writes competent for the serve (disabled by default)
- Support for partial put (enabled by default)
- The application was using Tomcat’s file based session firmness with default collection location
- The application included a library that can be taken in a deserialization attack
In an advisor released last week, Project Maintenors said the vulnerability has been resolved in Tomkat versions in 9.0.99, 10.1.35 and 11.0.3.
But in a related turn, the vulnerability is already in the wild, looking at the exploitation attempts per wallum.
“This attack takes advantage of Tomkat’s default session firm mechanism with its support for partial put requests,” the company said.
“Exploitation works in two stages: the attacker uploads a serial Java session file through put requests. The attacker triggers deserialization by referring to the malicious session ID in a GET request.”
In different ways, the attacks sent a put request that consists of a base 64-encoded serialized Java payload, written to the storage directory of Tomcat, which is later executed by sending a request with JSESSISIONID to send a request with JSESSISIONID.
Wallarm also said that the vulnerability is trivial to exploit and there is no need for any authentication. The only condition is that Tomcat uses file-based session storage.
“While this exploitation misuses sessions storage, the big issue is partially handling in Tomkat, which practically allows to upload any file anywhere,” it said. “The attackers will soon start shifting their strategy, upload malicious JSP files, modify the configuration, and plant backdoor outside the session storage.”
Users running affected versions of Tomcat are advised to update their examples as soon as possible to reduce potential hazards.
