Tomcat Session Deserialization RCE – CVE-2025-24813

Posted on

Vulnerable Version

versions 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.

Fixed Version

fix version 11.0.3, 10.1.35 or 9.0.99.

Base Score

9.8 Critical                                                                  

Vendor Description:-

Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages (JSP), and WebSocket technologies, developed by the Apache Software Foundation. It serves as a lightweight, reliable, and widely-used web server and servlet container for deploying Java-based web applications. Tomcat is known for its performance, ease of configuration, and strong community support, making it a preferred choice for enterprise-grade applications and microservices architectures. It is often used in development and production environments to run dynamic content and support scalable, high-availability web services.

CVE-2025-24813 Vulnerability Description: –

A deserialization vulnerability was discovered in Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. It occurs when Tomcat is set up with both writable DefaultServlet (readonly=false) and file-based session persistence. The combination enables attackers to send arbitrary files to the server and cause deserialization of these files by manipulating the JSESSIONID cookie, resulting in remote code execution.

Deep Dive:

The vulnerability exists due to two key misconfigurations in Tomcat. First, the DefaultServlet is configured with readonly=false, allowing file uploads:

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>debug</param-name>
        <param-value>0</param-value>
    </init-param>
    <init-param>
        <param-name>listings</param-name>
        <param-value>false</param-value>
    </init-param>
    <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

Second, Tomcat is configured to use file-based session persistence.

<Manager className="org.apache.catalina.session.PersistentManager">
    <Store className="org.apache.catalina.session.FileStore"/>
</Manager>

Both configurations share the same default storage path: $CATALINA_BASE/work/Catalina/localhost/ROOT.

When sending a partial PUT request, Tomcat changes the file path’s path separators (/) to periods (.) and temporarily stores the file in the session storage directory. By creating a special request, we can write a malicious serialized object to this directory.

To exploit this vulnerability, submit a partial PUT request with the Content-Range header to write a file named.deserialize.session in the temporary directory.

Impact:-

  • Remote Code Execution: CVE-2025-24813 enables attackers to run arbitrary code remotely, resulting in complete system penetration.
  • Unauthorized Access: By exploiting the vulnerability, attackers can overcome security measures and obtain access to sensitive data.
  • Privilege Escalation: Attackers can increase their privileges within the compromised system, enhancing the possibility of further infiltration.
  • Data Theft and Integrity Risks: Unauthorized access could result in data breaches, file manipulation, or the theft of important business information.
  • Operational disruptions: Successful exploitation may cause service outages, system instability, and potential business interruptions.

Mitigations:-

  • Upgrade to the latest patched version: To address the vulnerability, update Apache Tomcat to the most recent version available.
  • Apply security patches: To address newly disclosed vulnerabilities, apply Apache Tomcat security upgrades on a regular basis.
  • Restrict HTTP Methods: Unnecessary HTTP methods such as PUT and DELETE should be disabled unless specifically requested.
  • Enforce Access Controls: Use strong authentication and authorization techniques to restrict access to sensitive directories.
  • Implement a Web Application Firewall (WAF): Use a WAF to detect and prevent malicious HTTP requests that attempt to exploit a vulnerability.
  • Monitor and audit logs: Review Apache Tomcat logs on a regular basis for unusual activity and unwanted access attempts.
  • Implement Network Segmentation: To reduce the risk of attacks, restrict access to Tomcat servers from untrusted networks.

POC

PUT /deserialize/session HTTP/1.1
Host: your-ip:8080
Content-Length: 1234
Content-Range: bytes 0-5/10

deserialize content
image 18

Then, send another request with a manipulated JSESSIONID cookie to trigger deserialization of the file:

GET / HTTP/1.1
Host: your-ip:8080
Cookie: JSESSIONID=.deserialize
image 19

Leave a Reply

Your email address will not be published. Required fields are marked *