CVE-2025-24813

Path Equivalence: &amp;#39;file.Name&amp;#39; (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.<br /> <br /> This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.<br /> <br /> If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:<br /> - writes enabled for the default servlet (disabled by default)<br /> - support for partial PUT (enabled by default)<br /> - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads<br /> - attacker knowledge of the names of security sensitive files being uploaded<br /> - the security sensitive files also being uploaded via partial PUT<br /> <br /> If all of the following were true, a malicious user was able to perform remote code execution:<br /> - writes enabled for the default servlet (disabled by default)<br /> - support for partial PUT (enabled by default)<br /> - application was using Tomcat&amp;#39;s file based session persistence with the default storage location<br /> - application included a library that may be leveraged in a deserialization attack<br /> <br /> Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.