一、 漏洞 CVE-2025-24813 基础信息
漏洞标题
Apache Tomcat: 带有部分PUT的潜在RCE以及信息泄露以及信息破坏
来源:AIGC 神龙大模型
漏洞描述信息
N/A
来源:AIGC 神龙大模型
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
来源:AIGC 神龙大模型
漏洞类别
对路径名的限制不恰当(路径遍历)
来源:AIGC 神龙大模型
漏洞标题
Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
路径等价:’file.name’ (内部点号)
来源:美国国家漏洞数据库 NVD
漏洞标题
Apache Tomcat 环境问题漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。用于实现对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat 11.0.0-M1至11.0.2版本、10.1.0-M1至10.1.34版本和9.0.0.M1至9.0.98版本存在环境问题漏洞。攻击者利用该漏洞可以远程执行代码或泄露敏感信息。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
环境问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-24813 的公开POC
# POC 描述 源链接 神龙链接
1 Apache Tomcat 远程代码执行漏洞批量检测脚本(CVE-2025-24813) https://github.com/iSee857/CVE-2025-24813-PoC POC详情
2 CVE-2025-24813_POC https://github.com/N0c1or/CVE-2025-24813_POC POC详情
3 Security Researcher https://github.com/gregk4sec/CVE-2025-24813 POC详情
4 his repository contains an automated Proof of Concept (PoC) script for exploiting **CVE-2025-24813**, a Remote Code Execution (RCE) vulnerability in Apache Tomcat. The vulnerability allows an attacker to upload a malicious serialized payload to the server, leading to arbitrary code execution via deserialization when specific conditions are met. https://github.com/absholi7ly/POC-CVE-2025-24813 POC详情
5 cve-2025-24813验证脚本 https://github.com/FY036/cve-2025-24813_poc POC详情
6 CVE-2025-24813利用工具 https://github.com/charis3306/CVE-2025-24813 POC详情
7 CVE-2025-24813 - Apache Tomcat Vulnerability Scanner https://github.com/issamjr/CVE-2025-24813-Scanner POC详情
8 Nuclei Template CVE-2025–24813 https://github.com/imbas007/CVE-2025-24813-apache-tomcat POC详情
9 Apache Tomcat Remote Code Execution (RCE) Exploit - CVE-2025-24813 https://github.com/msadeghkarimi/CVE-2025-24813-Exploit POC详情
10 None https://github.com/naikordian/CVE-2025-24813 POC详情
11 Apache Tomcat Vulnerability POC (CVE-2025-24813) https://github.com/michael-david-fry/Apache-Tomcat-Vulnerability-POC-CVE-2025-24813 POC详情
12 Resources for teh Apache Tomcat CVE lab https://github.com/ps-interactive/lab-cve-2025-24813 POC详情
13 POC for CVE-2025-24813 using Spring-Boot https://github.com/n0n-zer0/Spring-Boot-Tomcat-CVE-2025-24813 POC详情
14 CVE-2025-24813 Apache Tomcat RCE Proof of Concept (PoC) https://github.com/Alaatk/CVE-2025-24813-POC POC详情
15 None https://github.com/MuhammadWaseem29/CVE-2025-24813 POC详情
16 A PoC for CVE-2025-24813 https://github.com/tonyarris/CVE-2025-24813-PoC POC详情
17 Session Exploit https://github.com/beyond-devsecops/CVE-2025-24813 POC详情
18 A playground to test the RCE exploit for tomcat CVE-2025-24813 https://github.com/u238/Tomcat-CVE_2025_24813 POC详情
19 Create lab for CVE-2025-24813 https://github.com/AlperenY-cs/CVE-2025-24813 POC详情
20 This repository contains a shell script based POC on Apache Tomcat CVE-2025-24813. It allow you to easily test the vulnerability on any version of Apache Tomcat https://github.com/manjula-aw/CVE-2025-24813 POC详情
21 None https://github.com/B1gN0Se/Tomcat-CVE-2025-24813 POC详情
22 simple exp for CVE-2025-24813 https://github.com/AsaL1n/CVE-2025-24813 POC详情
23 CVE-2025-24813-POC JSP Web Shell Uploader https://github.com/La3B0z/CVE-2025-24813-POC POC详情
24 None https://github.com/Heimd411/CVE-2025-24813-noPoC POC详情
25 Hello researchers, I have a checker for the recent vulnerability CVE-2025-24813-checker. https://github.com/horsehacks/CVE-2025-24813-checker POC详情
26 None https://github.com/GadaLuBau1337/CVE-2025-24813 POC详情
27 A simple, easy-to-use POC for CVE-2025-42813 (Apache Tomcat versions below 9.0.99). https://github.com/f8l124/CVE-2025-24813-POC POC详情
28 CVE-2025-24813 poc https://github.com/Franconyu/Poc_for_CVE-2025-24813 POC详情
29 Path Equivalence- 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24813.yaml POC详情
30 None https://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Tomcat%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2025-24813.md POC详情
31 https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2025-24813/README.md POC详情
32 None https://github.com/Mattb709/CVE-2025-24813-PoC-Apache-Tomcat-RCE POC详情
33 CVE-2025-24813-Scanner is a Python-based vulnerability scanner that detects Apache Tomcat servers vulnerable to CVE-2025-24813, an arbitrary file upload vulnerability leading to remote code execution (RCE) via insecure PUT method handling and jsessionid exploitation. https://github.com/Mattb709/CVE-2025-24813-Scanner POC详情
三、漏洞 CVE-2025-24813 的情报信息