Vulnerability Alert: Remote Code Execution Vulnerability CVE-2025-24813

CVE-2025-24813 - Root Cause Analysis

The vulnerability arises due to insecure temporary file naming logic in Tomcat’s DefaultServlet when handling Partial PUT requests (HTTP PUT requests with a Content-Range header).

We can see from this code that when a partial PUT request is received, a new “temporary” file is created, with an attacker-controlled filename. Notice the character replacement in [1], switching out any “/” characters with “.”, for security purposes.

Ironically, this very security measure could allow an attacker to execute its code, as we’ll soon see.

Also, notice in [3] that the file is only deleted when the web server is terminated, and not when it’s no longer used.

Okay, so we know we can create an arbitrary file, where we can control its filename and data. How can we use this to achieve code execution on the server?

Here comes a Tomcat feature called file-based session persistence. If this feature is enabled, information about the current session is stored in a file, and whenever a new request is received with an ID of a previous session, Tomcat loads the session file.

Fortunately (or unfortunately), the default directory used to store the session files is the same temporary directory where our attacker-controlled file is saved!

So let’s connect all the dots to achieve RCE:

1. First, we’ll generate a malicious serialized payload, which for example, executes an arbitrary command when deserialized.
2. Send a partial PUT request to “/pocs/session”. This will create a temporary file called “.pocs.session” with our payload in it.
3. Send a GET request with JSESSIONID of “.pocs”. The server will then try to look for its session file (“.pocs.session”), find our malicious file and load it, executing our malicious code!

CVE-2025-24813 - Patch

Let’s take a look at how this vulnerability was patched in code:

As we can see from the code, the name of the temporary file created is no longer controlled by the PUT request path. Instead, it is randomly generated with a fixed prefix of “put-part-”.

In addition, after using the temp file and copying its data, it is deleted and not kept until the server terminates.

These two changes prevent attackers from exploiting the vulnerability by removing their ability to predict or control the temporary file names.

Vulnerability detection with Kodem Runtime SCA

Kodem’s runtime SCA can detect whether a vulnerable version of Tomcat is in use and is exploitable. We not only flag potentially vulnerable components but also confirm whether specific classes tied to a CVE are actively used. In the screenshot below, Kodem identifies that while org.apache.tomcat.embed:tomcat-embed-core is present, the DefaultServlet class, directly implicated in CVE-2025-24813, was not loaded in runtime. This “not loaded” status indicates that the vulnerable code path was never executed, reducing the risk profile for this particular environment.

Kodem also correlates this information with the exact process, image, and environment details in which the component is running. That evidence provides teams with a clear understanding of whether the application is exposed to the vulnerability, and if so, where to focus their remediation efforts.

Kodem ADR Protection

Kodem's upcoming Application Detection and Response (ADR) capability blocks exploitation of vulnerabilities like CVE-2025-24813 by utilizing advanced memory analysis techniques to identify malicious flows inside applications.

Unlike incumbent signature-based detection tools (e.g., WAF, RASP) that rely on signatures, pattern matching or instrumentation, Kodem ADR analyzes application behavior at runtime, detecting exploitation attempts regardless of whether they target known CVEs or unknown zero-days.

Key advantages of our approach:

• Zero Tuning Required: Kodem ADR works out-of-the-box with no configuration or learning time
• Vulnerability-Agnostic Protection: Identifies attacks based on malicious behavior rather than specific CVE signatures
• Comprehensive Coverage: Protects against both known vulnerabilities and zero-day attacks using similar techniques
• No Instrumentation Needed: Kodem ADR operates without modifying application code or injecting agents, ensuring zero performance impact and seamless deployment across any environment

By focusing on memory analysis and application behavior, Kodem ADR provides a more robust security posture that remains effective even as new vulnerabilities are discovered.

{{demo-video="/314695942731"}}