A Rapidly Exploited Vulnerability With a Major Blast Radius

A recently disclosed vulnerability in Apache Tomcat, CVE-2025-24813, is drawing significant attention due to its ease of exploitation, rapid adoption by attackers, and widespread usage across enterprise environments. This vulnerability is a blend of path traversal issues and deserialization flaws, potentially allowing for remote code execution (RCE) or the exfiltration of sensitive data.

At Sonatype, we analyzed data from Maven Central and found a concerning trend: over the past three months, vulnerable versions of Apache Tomcat were downloaded three times more often than the safe versions. This widespread adoption of outdated and insecure versions significantly increases the attack surface for malicious actors.

Let’s examine the key details of this vulnerability, its exploitation timeline, and why this attack is particularly difficult to detect.

Understanding the Apache Tomcat Vulnerability

CVE-2025-24813 is particularly concerning because it allows attackers to achieve RCE with a single unauthenticated PUT request, followed by a GET request to trigger deserialization. This vulnerability impacts versions 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2. Project maintainers said the vulnerability has been resolved in Tomcat versions 9.0.99, 10.1.35, and 11.0.3.

The attack exploits Apache Tomcat’s default session persistence mechanism and partial PUT support, which are commonly enabled in many deployments. The flaw highlights the risks of improper handling of path equivalence and serialized data, making it both high-impact and easy to exploit.

As Sonatype’s Vice President of Sales Engineering, Mitun Zavery, explains the core issue:

“The Apache Tomcat vulnerability is a notable blend of path traversal issues and deserialization flaws that could allow RCE or exfiltration of sensitive data. What makes this vulnerability stand out is its minimal prerequisites, (Read more...)