InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Member-only story

CVE-2025–24813: Apache Tomcat Path Equivalence Vulnerability $$$$ BOUNTY

--

Disclaimer: This document is for educational purposes only. Exploiting systems without authorization is illegal and punishable by law.

Stay ethical. Stay legal. Secure responsibly.

Thanks, Everyone for reading. Enjoy Happy Ethical Hacking!

Support me if you like my work! OR You Need exploitation Script!

Buy me a coffee

Overview

Apache Tomcat recently disclosed a critical security vulnerability, CVE-2025–24813, which affects multiple versions of its servlet container. The flaw originates from improper handling of path equivalence checks when processing filenames containing internal dots (e.g., file…txt). Exploitation of this vulnerability may lead to:

  • Unauthorized information disclosure
  • File manipulation and unauthorized modification
  • Remote Code Execution (RCE)

Given the widespread use of Apache Tomcat in enterprise environments, this vulnerability poses a significant risk.

Affected Versions

The following versions of Apache Tomcat are impacted by CVE-2025–24813:

  • Apache Tomcat 9: 9.0.0.M1 through 9.0.98

--

--

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Ajay Naik

Cyber security Expert with a Strong Focus on Penetration Testing, Threat Intelligence, and Bug Bounty Hunting.

Responses (1)

Write a response