Loading…

Cookies and privacy

We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.

CVE-2025-24813: Apache Tomcat Path Equivalence Vulnerability · Scorifya

CVE detail

CVE-2025-24813: Apache Tomcat Path Equivalence Vulnerability

Source: CISA Known Exploited Vulnerabilities catalog · back to feed

Vendor / product

Apache · Tomcat

Date added (KEV): Apr 01, 2025
CISA due date: Apr 22, 2025
Ransomware campaign use: Unknown

Required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Vendor fix: Vendor advisory

Scorifya interpretation

AI-generated

A short, structured read of the record above — generated when this page first loads, then cached for a week.

Plain English

Technical detail

From CISA

Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.

This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq ; https://nvd.nist.gov/vuln/detail/CVE-2025-24813

References

https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgqVendor Advisory
http://www.openwall.com/lists/oss-security/2025/03/10/5Mailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2025/04/msg00003.htmlMailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20250321-0001/Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rceIssue Tracking

Other recent CVEs from Apache

CVE-2026-34197ActiveMQ — Apache ActiveMQ Improper Input Validation Vulnerability
CVE-2024-38475HTTP Server — Apache HTTP Server Improper Escaping of Output Vulnerability
CVE-2024-45195OFBiz — Apache OFBiz Forced Browsing Vulnerability
CVE-2024-27348HugeGraph-Server — Apache HugeGraph-Server Improper Access Control Vulnerability
CVE-2024-38856OFBiz — Apache OFBiz Incorrect Authorization Vulnerability

Check your domain's public posture

Scorifya doesn't test for specific CVEs, but if patching Apache changed your headers or TLS, a fresh hardening scan helps confirm nothing regressed externally.

Run a free scan Methodology