CVE-2025-24813CRITICAL 9.8CISA KEVEPSS p100.0%

CVE-2025-24813Apache Tomcat Path Equivalence Vulnerability

Apache / Tomcat

Description

Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS99.94% probability of exploitation · percentile 100.0% · 2026-06-15T12:03:41Z
Published2025-03-10
Last modified2025-10-23

CISA KEV entry

Added to KEV: 2025-04-01

Underlying weaknesses· 3

CWE-44CWE-502CWE-706

References

  1. https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
  2. http://www.openwall.com/lists/oss-security/2025/03/10/5
  3. https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
  4. https://security.netapp.com/advisory/ntap-20250321-0001/
  5. https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
  6. https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
  7. https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability
  8. https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability

3

TypeTargetConfidenceTier
WeaknessPath Equivalence: 'file.name' (Internal Dot)cwe-440%live
WeaknessDeserialization of Untrusted Datacwe-5020%live
WeaknessUse of Incorrectly-Resolved Name or Referencecwe-7060%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryApache Tomcat Path Equivalence Vulnerabilitykev-cve-2025-248130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Apache Tomcat Remote Code Execution Vulnerability
CVE
Apache Tomcat on Windows Remote Code Execution Vulnerability
CVE
CVE-2026-41293
CVE
CVE-2025-31651
CVE
Apache HTTP Server Path Traversal Vulnerability
CVE
CVE-2026-43515
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.