CVE-2025-24813 Potential RCE and/or information disclosure and/or 
information corruption with partial PUT

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98

Description:
The original implementation of partial PUT used a temporary file based 
on the user provided file name and path with the path separator replaced 
by ".".

If all of the following were true, a malicious user was able to view 
security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory
   of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being
   uploaded
- the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform 
remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with
   the default storage location
- application included a library that may be leveraged in a
   deserialization attack

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.3 or later
- Upgrade to Apache Tomcat 10.1.35 or later
- Upgrade to Apache Tomcat 9.0.99 or later

Credit:
Information disclosure/corruption: COSCO Shipping Lines DIC
Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight)

History:
2025-03-10 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html