Apache Tomcat Remote Code Execution Vulnerability (CVE-2025-24813)
Tomcat is an open source, lightweight web application server and Servlet container. It is developed by the Jakarta project under the Apache Software Foundation and is one of the most popular Java Web servers at present.
The exploitation conditions are relatively complex and the following four conditions must be met at the same time:
- The application has enabled the DefaultServlet write function, which is turned off by default.
- The application supports partial PUT requests, which can write malicious serialized data into the session file. This function is enabled by default.
- The application uses Tomcat's file session persistence and uses the default session storage location, which requires additional configuration.
- The application contains a library with deserialization vulnerabilities, such as commons-collections present in the classpath. This condition depends on whether the business implementation depends on the library with deserialization utilization chain.
Vulnerability Threat Level: High Risk
Affected version
11.0.0-M1 <= Apache Tomcat <= 11.0.2
10.1.0-M1 <= Apache Tomcat <= 10.1.34
9.0.0.M1 <= Apache Tomcat <= 9.0.98
Safe version
Apache Tomcat >= 11.0.3
Apache Tomcat >= 10.1.35
Apache Tomcat >= 9.0.99
Key configurations
Project structure
demo_project ├─module │ ├─src │ │ └─main | └─ └─
Under the project root path
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="/POM/4.0.0"
xmlns:xsi="http:///2001/XMLSchema-instance"
xsi:schemaLocation="/POM/4.0.0 /xsd/maven-4.0.">
<modelVersion>4.0.0</modelVersion>
<groupId></groupId>
<artifactId>demo</artifactId>
<version>1.0.0</version>
<name>demo</name>
<description>demo</description>
<properties>
<>1.0.0</>
<>UTF-8</>
<>UTF-8</>
<>1.8</>
<>9.0.99</>
<>1.3.5</>
</properties>
<!-- Dependency Statement -->
<dependencyManagement>
<dependencies>
<!-- SpringBootDependency configuration-->
<dependency>
<groupId></groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>2.5.14</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<!-- solveApache Tomcat Remote code execution vulnerability(CVE-2025-24813)-->
<dependency>
<groupId></groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>${}</version>
</dependency>
<dependency>
<groupId></groupId>
<artifactId>tomcat-embed-el</artifactId>
<version>${}</version>
</dependency>
<dependency>
<groupId></groupId>
<artifactId>tomcat-embed-websocket</artifactId>
<version>${}</version>
<exclusions>
<exclusion>
<artifactId>tomcat-annotations-api</artifactId>
<groupId></groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId></groupId>
<artifactId>-api</artifactId>
<version>${}</version>
</dependency>
</dependencies>
</dependencyManagement>
<modules>
<module>module</module>
</modules>
<packaging>pom</packaging>
<dependencies>
</dependencies>
<build>
<plugins>
<plugin>
<groupId></groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<configuration>
<source>${}</source>
<target>${}</target>
<encoding>${}</encoding>
<parameters>true</parameters>
</configuration>
</plugin>
</plugins>
<resources>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
</resource>
<resource>
<directory>src/main/java</directory>
<includes>
<include>**/*.xml</include>
</includes>
</resource>
</resources>
</build>
</project>
In the module directory
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="/POM/4.0.0"
xmlns:xsi="http:///2001/XMLSchema-instance"
xsi:schemaLocation="/POM/4.0.0 /xsd/maven-4.0.">
<parent>
<artifactId>demo</artifactId>
<groupId></groupId>
<version>1.0.0</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>module</artifactId>
<description>
moduleModule
</description>
<dependencies>
<!-- SpringBoot Webcontainer -->
<dependency>
<groupId></groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>.log4j</groupId>
<artifactId>log4j-api</artifactId>
</exclusion>
<exclusion>
<groupId></groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- websocket -->
<dependency>
<groupId></groupId>
<artifactId>spring-boot-starter-websocket</artifactId>
<exclusions>
<exclusion>
<groupId></groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId></groupId>
<artifactId>tomcat-embed-core</artifactId>
<exclusions>
<exclusion>
<artifactId>tomcat-annotations-api</artifactId>
<groupId></groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId></groupId>
<artifactId>tomcat-embed-el</artifactId>
</dependency>
<dependency>
<groupId></groupId>
<artifactId>tomcat-embed-websocket</artifactId>
<exclusions>
<exclusion>
<artifactId>tomcat-annotations-api</artifactId>
<groupId></groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId></groupId>
<artifactId>-api</artifactId>
</dependency>
</dependencies>
</project>
References
- spring-boot-starter-parent 2.5.14 maven dependencies
This is the end of this article about the solution to SpringBoot Tomcat vulnerability repair. For more related SpringBoot Tomcat vulnerability repair content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!