Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-24813 PoC — Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

Source
https://github.com/yaleman/cve-2025-24813-poc
Associated Vulnerability
Title:Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)
Description:Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Readme
# CVE-2025-24813 Apache Tomcat RCE Exploit PoC

This repository contains a proof-of-concept exploit for CVE-2025-24813, a Java
deserialization vulnerability in Apache Tomcat.

Based on
[absholi7ly/POC-CVE-2025-24813/](https://github.com/absholi7ly/POC-CVE-2025-24813/).

## Prerequisites

- Docker

## Setup

1. Install dependencies:

   ```bash
   uv venv
   source .venv/bin/activate
   uv sync
   ```

2. Download ysoserial:

   ```bash
   ./download.sh
   ```

## Usage

### Using Docker (Recommended)

Build and run the exploit in a container:

```bash
docker build -t cve-2025-24813-poc:latest .
docker run --rm -it --mount "type=bind,src=$(pwd),target=/app" cve-2025-24813-poc:latest
python main.py <target>
```

### Direct Execution

Run the exploit directly:

```bash
python main.py <target_url> [options]
```

#### Options

- `--command`: Command to execute (default: `calc.exe`)
- `--ysoserial`: Path to ysoserial.jar (default: `./ysoserial-all.jar`)
- `--gadget`: ysoserial gadget chain (default: `CommonsCollections6`)
- `--payload_type`: Payload type - `ysoserial` or `java` (default: `ysoserial`)
- `--no-ssl-verify`: Disable SSL verification

#### Examples

```bash
# Basic usage
python main.py http://target:8080

# Custom command
python main.py http://target:8080 --command "whoami"

# Using Java payload instead of ysoserial
python main.py http://target:8080 --payload_type java
```

## How it Works

1. Checks if the target servlet is writable via PUT requests
2. Generates a malicious serialized Java payload
3. Uploads the payload as a session file
4. Triggers deserialization by accessing the session

## Disclaimer

This tool is for educational and authorized testing purposes only. Do not use
against systems you do not own or have explicit permission to test.

## References

- <https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html>
- <https://nvd.nist.gov/vuln/detail/CVE-2025-24813>
- <https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-14-Testing-CVE-2025-24813.md>
File Snapshot

 [4.0K]  /data/pocs/ff1fc3f4e0756299aa56b4708df0fe70611af83a
├── [ 182]  CLAUDE.md
├── [1.6K]  context.xml
├── [1.4K]  context.xml.original
├── [ 204]  Dockerfile
├── [1.6K]  Dockerfile.vulnerable
├── [ 699]  download.sh
├── [ 12K]  index.jsp
├── [ 12K]  index.jsp.original
├── [ 280]  index.jsp.other
├── [ 678]  justfile
├── [ 11K]  main.py
├── [2.2K]  payload.base64
├── [ 341]  pyproject.toml
├── [2.0K]  README.md
├── [ 393]  ROOT.xml
├── [ 60K]  uv.lock
├── [168K]  web.xml
└── [168K]  web.xml.original

0 directories, 18 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →