Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2025-24813 PoC — Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

Source
https://github.com/GadaLuBau1337/CVE-2025-24813
Associated Vulnerability
Title:Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)
Description:Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Readme
# CVE-2025-24813 Apache Tomcat RCE PoC
Proof of Concept (PoC) exploiting CVE-2025-24813, a Remote Code Execution (RCE) vulnerability in Apache Tomcat. The vulnerability allows an attacker to upload a malicious serialized payload to the server, leading to arbitrary code execution via deserialization when specific conditions are met.
---

## Description

**CVE-2025-24813** is a theoretical RCE vulnerability in Apache Tomcat that leverages improper handling of uploaded session files and deserialization mechanisms. By uploading a crafted payload to a writable directory (e.g., `/uploads/../sessions/`), an attacker can trigger deserialization, resulting in the execution of arbitrary commands on the target server.

---

## Prerequisites for Successful Exploitation

For this PoC to successfully exploit the vulnerability, the following conditions must be met:

1. **Apache Tomcat Version**: The target must be running a vulnerable version of Apache Tomcat.
2. **Writable Directory**: The server must allow PUT requests
3. **Deserialization Trigger**: The server must process the uploaded session file (e.g., via a GET request to `/index.jsp`) and trigger deserialization of the payload.
4. **Java Environment**: The attacker’s machine must have Java installed to generate payloads using `ysoserial` or compile Java-based payloads.
5. **ysoserial (Optional)**: If using the `ysoserial` payload type, the `ysoserial.jar` file must be available locally.

---

```
python CVE-2025-24813.py <target_url> [options]
```

## Output
* Successful Exploit:
```
[+] Server is writable via PUT: http://localhost:8081/check.txt
[*] Session ID: absholi7ly
[+] Payload generated successfully: payload.ser
[+] Payload uploaded with status 409 (Conflict): http://localhost:8081/uploads/../sessions/absholi7ly.session
[+] Exploit succeeded! Server returned 500 after deserialization.
[+] Target http://localhost:8081 is vulnerable to CVE-2025-24813!
[+] Temporary file removed: payload.ser
```

* Failed Exploit:
```
[+] Server is writable via PUT: http://localhost:8081/check.txt
[*] Session ID: absholi7ly
[+] Payload generated successfully: payload.ser
[-] Payload upload failed: http://localhost:8081/uploads/../sessions/absholi7ly.session (HTTP 403)
[-] Target http://localhost:8081 does not appear vulnerable or exploit failed.
[+] Temporary file removed: payload.ser
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →