Critical Security Vulnerability in Apache Tomcat (CVE-2025-24813) Affecting WebAPI #2478
Description
We have identified a critical security vulnerability (CVE-2025-24813) in Apache Tomcat components used by WebAPI. This issue allows Remote Code Execution (RCE), information disclosure, and potential injection of malicious content through the Default Servlet when handling file uploads.
Details:
CVE: CVE-2025-24813
Severity: Critical
Affected Components:
- tomcat-embed-core version 8.5.43
- catalina.jar version 9.0.89
Exploit Availability: Confirmed
Description:
Path Equivalence vulnerability in Apache Tomcat can lead to RCE and other security risks. Affected versions include:
11.0.0-M1 through 11.0.2
10.1.0-M1 through 10.1.34
9.0.0.M1 through 9.0.98
EOL versions: 8.5.0 through 8.5.100
Recommended Fix:
Upgrade to one of the patched versions: 11.0.3, 10.1.35, 9.0.99
Validate file names to prevent path traversal attacks.