Re: [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

[Darryl Baker]

Does this have a CVE score yet?

Darryl Baker, GSEC, GCLD (he/him/his) 
Sr. System Administrator 
Distributed Application Platform Services 
Northwestern University 
4th Floor 
2020 Ridge Avenue 
Evanston, IL 60208-0801 
darryl.ba...@northwestern.edu  
(847) 467-6674  




On 3/10/25, 11:38 AM, "Mark Thomas" mailto:ma...@apache.org>> wrote:


CVE-2025-24813 Potential RCE and/or information disclosure and/or 
information corruption with partial PUT


Severity: Important


Vendor: The Apache Software Foundation


Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98


Description:
The original implementation of partial PUT used a temporary file based 
on the user provided file name and path with the path separator replaced 
by ".".


If all of the following were true, a malicious user was able to view 
security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory
of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being
uploaded
- the security sensitive files also being uploaded via partial PUT


If all of the following were true, a malicious user was able to perform 
remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with
the default storage location
- application included a library that may be leveraged in a
deserialization attack


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.3 or later
- Upgrade to Apache Tomcat 10.1.35 or later
- Upgrade to Apache Tomcat 9.0.99 or later


Credit:
Information disclosure/corruption: COSCO Shipping Lines DIC
Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight 
)


History:
2025-03-10 Original advisory


References:
[1] https://tomcat.apache.org/security-11.html 

[2] https://tomcat.apache.org/security-10.html 

[3] https://tomcat.apache.org/security-9.html 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 

For additional commands, e-mail: users-h...@tomcat.apache.org 

Re: [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

[Christopher Schultz]

Darryl,

On 3/12/25 1:23 PM, Darryl Baker wrote:

For us the CVSS score is a way to determine how deeply to
investigate and more importantly to describe the criticality to
management in a way they understand.
If you haven't changed the default configuration for the DefaultServlet 
from readonly="true" to readonly="false", then you have nothing to worry 
about.


-chris


On 3/12/25, 9:21 AM, "Mark Thomas" mailto:ma...@apache.org>> wrote:


On 12/03/2025 14:01, Darryl Baker wrote:

Does this have a CVE score yet?



We don't provide CVSS scores as we don't believe they provide any value
(they are too subjective and don't allow for the individual
circumstances of any deployment). It is far too easy for a vulnerability
to score 0 for some users and 10 for others.


We provide the criteria that enables you to determine if you are exposed
and the possible consequences if you are. You then get to decide how
concerned you want to be.


Mark






Darryl Baker, GSEC, GCLD (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
4th Floor
2020 Ridge Avenue
Evanston, IL 60208-0801
darryl.ba...@northwestern.edu  
>
(847) 467-6674 




On 3/10/25, 11:38 AM, "Mark Thomas" mailto:ma...@apache.org> 
>> wrote:


CVE-2025-24813 Potential RCE and/or information disclosure and/or
information corruption with partial PUT


Severity: Important


Vendor: The Apache Software Foundation


Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98


Description:
The original implementation of partial PUT used a temporary file based
on the user provided file name and path with the path separator replaced
by ".".


If all of the following were true, a malicious user was able to view
security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory
of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being
uploaded
- the security sensitive files also being uploaded via partial PUT


If all of the following were true, a malicious user was able to perform
remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with
the default storage location
- application included a library that may be leveraged in a
deserialization attack


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.3 or later
- Upgrade to Apache Tomcat 10.1.35 or later
- Upgrade to Apache Tomcat 9.0.99 or later


Credit:
Information disclosure/corruption: COSCO Shipping Lines DIC
Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight 
  
;>)


History:
2025-03-10 Original advisory


References:
[1] https://tomcat.apache.org/security-11.html  
 
;>
[2] https://tomcat.apache.org/security-10.html  
 
;>
[3] https://tomcat.apache.org/security-9.html  
 
;>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
 >
For additional commands, e-mail: users-h...@tomcat.apache.org 
 >






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 

For additional commands, e-mail: users-h...@tomcat.apache.org 







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 

For additional commands, e-mail: users-h...@tomcat.apache.org 







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For addition

Re: Tomcat 9.0.98 Performance hits AWS 100% CPU

[Christopher Schultz]

Timothy,

On 3/12/25 1:00 PM, Timothy Resh wrote:

Thanks for your input on this issue.  I have additional information on
this.  What would happen if the temp directory gets this size of 38000
Files and 1.6GB of data?   Has anyone seen tomcat slow down because of temp
directory size?


I don't believe Tomcat scans the temp/ directory for any reason, so I 
don't think the size of the temp directory would impact Tomcat performance.


That said, a thread dump showing what your threads are actually doing 
would point directly to that, if it were a problem.


-chris


On Sun, Mar 9, 2025 at 1:01 PM Suvendu Sekhar Mondal 
wrote:


Hi Timothy,

Since you are running Tomcat on Windows Server 2016, I'll suggest to
capture OS level CPU utilization by threads and then tally them with the
threads in Java thread dumps to identify the cause.

Run Process Explorer as an administrator. Right-click the process, select
Properties, and then select the Threads tab. Sort by CPU column and note
thread ID. Note top CPU consuming thread IDs. Convert those numbers to hex
values and search it in the thread dumps.

On Sat, Mar 8, 2025, 5:31 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:


Chuck,

On 3/7/25 5:38 PM, Chuck Caldarale wrote:



On 2025 Mar 7, at 16:06, Timothy Resh  wrote:

Dear Apache Support Team,

I'm running Tomcat 9.0.98 in the AWS Cloud. After several days of use,

we

see that the CPU utilization eventually reaches 100% in the Cloud, but

when

we RDP into the Server and look at the Task Manager, we do not see the
performance being impacted. However, users complain of severe

slowdowns,

and sometimes, it stops responding.

We are trying to discover what may be the issue. We have an automated
process that will fire off a restart when it reaches 100% utilization.

We

want to get more information by using a JPS, Jconsole, or some other

Java

utility to capture additional information before the restart.  Do you

have

any suggestions in capturing this information before restart?



  > Try taking several full thread dumps a few seconds apart to see >
where threads are executing. You can use a profiler if you have one,

the jcmd or jstack JDK utilities, or VisualVM (separate download,
these days). The jconsole utility can also be used to look at each
individual thread one by one, but that’s somewhat painful. VisualVM
can let you determine quickly by eye which threads are burning up
the CPU.


+1

With 11 web applications deployed, you may have some performance issues
if you have a lot of scannable files and you are using reloadable="true"
in META-INF/context.xml.

But a thread dump is going to be very informative.

-chris


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org









-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

[Mark Thomas]

On 12/03/2025 14:01, Darryl Baker wrote:

Does this have a CVE score yet?


We don't provide CVSS scores as we don't believe they provide any value 
(they are too subjective and don't allow for the individual 
circumstances of any deployment). It is far too easy for a vulnerability 
to score 0 for some users and 10 for others.


We provide the criteria that enables you to determine if you are exposed 
and the possible consequences if you are. You then get to decide how 
concerned you want to be.


Mark




Darryl Baker, GSEC, GCLD (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
4th Floor
2020 Ridge Avenue
Evanston, IL 60208-0801
darryl.ba...@northwestern.edu 
(847) 467-6674 




On 3/10/25, 11:38 AM, "Mark Thomas" mailto:ma...@apache.org>> wrote:


CVE-2025-24813 Potential RCE and/or information disclosure and/or
information corruption with partial PUT


Severity: Important


Vendor: The Apache Software Foundation


Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98


Description:
The original implementation of partial PUT used a temporary file based
on the user provided file name and path with the path separator replaced
by ".".


If all of the following were true, a malicious user was able to view
security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory
of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being
uploaded
- the security sensitive files also being uploaded via partial PUT


If all of the following were true, a malicious user was able to perform
remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with
the default storage location
- application included a library that may be leveraged in a
deserialization attack


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.3 or later
- Upgrade to Apache Tomcat 10.1.35 or later
- Upgrade to Apache Tomcat 9.0.99 or later


Credit:
Information disclosure/corruption: COSCO Shipping Lines DIC
Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight 
)


History:
2025-03-10 Original advisory


References:
[1] https://tomcat.apache.org/security-11.html 

[2] https://tomcat.apache.org/security-10.html 

[3] https://tomcat.apache.org/security-9.html 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 

For additional commands, e-mail: users-h...@tomcat.apache.org 







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT

[Darryl Baker]

For us the CVSS score is a way to determine how deeply to investigate and more 
importantly to describe the criticality to management in a way they understand.

Darryl Baker, GSEC, GCLD (he/him/his) 
Sr. System Administrator 
Distributed Application Platform Services 
Northwestern University 
4th Floor 
2020 Ridge Avenue 
Evanston, IL 60208-0801 
darryl.ba...@northwestern.edu  
(847) 467-6674  




On 3/12/25, 9:21 AM, "Mark Thomas" mailto:ma...@apache.org>> wrote:


On 12/03/2025 14:01, Darryl Baker wrote:
> Does this have a CVE score yet?


We don't provide CVSS scores as we don't believe they provide any value 
(they are too subjective and don't allow for the individual 
circumstances of any deployment). It is far too easy for a vulnerability 
to score 0 for some users and 10 for others.


We provide the criteria that enables you to determine if you are exposed 
and the possible consequences if you are. You then get to decide how 
concerned you want to be.


Mark




> 
> Darryl Baker, GSEC, GCLD (he/him/his)
> Sr. System Administrator
> Distributed Application Platform Services
> Northwestern University
> 4th Floor
> 2020 Ridge Avenue
> Evanston, IL 60208-0801
> darryl.ba...@northwestern.edu  
> >
> (847) 467-6674 
> 
> 
> 
> 
> On 3/10/25, 11:38 AM, "Mark Thomas"    >> wrote:
> 
> 
> CVE-2025-24813 Potential RCE and/or information disclosure and/or
> information corruption with partial PUT
> 
> 
> Severity: Important
> 
> 
> Vendor: The Apache Software Foundation
> 
> 
> Versions Affected:
> Apache Tomcat 11.0.0-M1 to 11.0.2
> Apache Tomcat 10.1.0-M1 to 10.1.34
> Apache Tomcat 9.0.0.M1 to 9.0.98
> 
> 
> Description:
> The original implementation of partial PUT used a temporary file based
> on the user provided file name and path with the path separator replaced
> by ".".
> 
> 
> If all of the following were true, a malicious user was able to view
> security sensitive files and/or inject content into those files:
> - writes enabled for the default servlet (disabled by default)
> - support for partial PUT (enabled by default)
> - a target URL for security sensitive uploads that was a sub-directory
> of a target URL for public uploads
> - attacker knowledge of the names of security sensitive files being
> uploaded
> - the security sensitive files also being uploaded via partial PUT
> 
> 
> If all of the following were true, a malicious user was able to perform
> remote code execution:
> - writes enabled for the default servlet (disabled by default)
> - support for partial PUT (enabled by default)
> - application was using Tomcat's file based session persistence with
> the default storage location
> - application included a library that may be leveraged in a
> deserialization attack
> 
> 
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 11.0.3 or later
> - Upgrade to Apache Tomcat 10.1.35 or later
> - Upgrade to Apache Tomcat 9.0.99 or later
> 
> 
> Credit:
> Information disclosure/corruption: COSCO Shipping Lines DIC
> Remote code execution: sw0rd1ight (https://github.com/sw0rd1ight 
>   
> ;>)
> 
> 
> History:
> 2025-03-10 Original advisory
> 
> 
> References:
> [1] https://tomcat.apache.org/security-11.html 
>  
>  
> ;>
> [2] https://tomcat.apache.org/security-10.html 
>  
>  
> ;>
> [3] https://tomcat.apache.org/security-9.html 
>  
>  
> ;>
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
>  
>  >
> For additional commands, e-mail: users-h...@tomcat.apache.org 
>   >
> 
> 
> 
> 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
> 
> For additional commands, e-mail: users-h...@tomcat.apache.org 
> 
> 




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.

Re: Tomcat 9.0.98 Performance hits AWS 100% CPU

[Timothy Resh]

Thanks for your input on this issue.  I have additional information on
this.  What would happen if the temp directory gets this size of 38000
Files and 1.6GB of data?   Has anyone seen tomcat slow down because of temp
directory size?



On Sun, Mar 9, 2025 at 1:01 PM Suvendu Sekhar Mondal 
wrote:

> Hi Timothy,
>
> Since you are running Tomcat on Windows Server 2016, I'll suggest to
> capture OS level CPU utilization by threads and then tally them with the
> threads in Java thread dumps to identify the cause.
>
> Run Process Explorer as an administrator. Right-click the process, select
> Properties, and then select the Threads tab. Sort by CPU column and note
> thread ID. Note top CPU consuming thread IDs. Convert those numbers to hex
> values and search it in the thread dumps.
>
> On Sat, Mar 8, 2025, 5:31 AM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> > Chuck,
> >
> > On 3/7/25 5:38 PM, Chuck Caldarale wrote:
> > >
> > >> On 2025 Mar 7, at 16:06, Timothy Resh  wrote:
> > >>
> > >> Dear Apache Support Team,
> > >>
> > >> I'm running Tomcat 9.0.98 in the AWS Cloud. After several days of use,
> > we
> > >> see that the CPU utilization eventually reaches 100% in the Cloud, but
> > when
> > >> we RDP into the Server and look at the Task Manager, we do not see the
> > >> performance being impacted. However, users complain of severe
> slowdowns,
> > >> and sometimes, it stops responding.
> > >>
> > >> We are trying to discover what may be the issue. We have an automated
> > >> process that will fire off a restart when it reaches 100% utilization.
> > We
> > >> want to get more information by using a JPS, Jconsole, or some other
> > Java
> > >> utility to capture additional information before the restart.  Do you
> > have
> > >> any suggestions in capturing this information before restart?
> > >
> >  > Try taking several full thread dumps a few seconds apart to see >
> > where threads are executing. You can use a profiler if you have one,
> > > the jcmd or jstack JDK utilities, or VisualVM (separate download,
> > > these days). The jconsole utility can also be used to look at each
> > > individual thread one by one, but that’s somewhat painful. VisualVM
> > > can let you determine quickly by eye which threads are burning up
> > > the CPU.
> >
> > +1
> >
> > With 11 web applications deployed, you may have some performance issues
> > if you have a lot of scannable files and you are using reloadable="true"
> > in META-INF/context.xml.
> >
> > But a thread dump is going to be very informative.
> >
> > -chris
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>