Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.

vendor_unpatched cve-2025-24813: Unpatched CVEs for Debian Linux (cve-2025-24813)

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34 or 11.0.0-M1 to 11.0.2. It is, therefore, affected by a remote code execution and/or an information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 11.0.3. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_11.0.3_security-11 advisory.

  - Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information     disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache     Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34,     from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view     security sensitive files and/or inject content into those files: - writes enabled for the default servlet     (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive     uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of     security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT     If all of the following were true, a malicious user was able to perform remote code execution: - writes     enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) -     application was using Tomcat's file based session persistence with the default storage location -     application included a library that may be leveraged in a deserialization attack Users are recommended to     upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue. (CVE-2025-24813)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.35. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.1.35_security-10 advisory.

  - Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information     disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache     Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34,     from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view     security sensitive files and/or inject content into those files: - writes enabled for the default servlet     (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive     uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of     security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT     If all of the following were true, a malicious user was able to perform remote code execution: - writes     enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) -     application was using Tomcat's file based session persistence with the default storage location -     application included a library that may be leveraged in a deserialization attack Users are recommended to     upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue. (CVE-2025-24813)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.99. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.99_security-9 advisory.

  - Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information     disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache     Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34,     from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view     security sensitive files and/or inject content into those files: - writes enabled for the default servlet     (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive     uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of     security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT     If all of the following were true, a malicious user was able to perform remote code execution: - writes     enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) -     application was using Tomcat's file based session persistence with the default storage location -     application included a library that may be leveraged in a deserialization attack Users are recommended to     upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue. (CVE-2025-24813)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114658	Apache Tomcat 9.0.0-M1 < 9.0.99 Remote Code Execution	Web App Scanning	Component Vulnerability	high
114657	Apache Tomcat 10.1.0-M1 < 10.1.35 Remote Code Execution	Web App Scanning	Component Vulnerability	high
114656	Apache Tomcat 11.0.0-M1 < 11.0.3 Remote Code Execution	Web App Scanning	Component Vulnerability	high
232530	Apache Tomcat 11.0.0.M1 < 11.0.3	Nessus	Web Servers	critical
232529	Apache Tomcat 10.1.0.M1 < 10.1.35	Nessus	Web Servers	critical
232528	Apache Tomcat 9.0.0.M1 < 9.0.99	Nessus	Web Servers	critical

Detections

Analytics

CVE-2025-24813

medium

Tenable Plugins

Coming Soon

high

high

high

critical

critical

critical