Is app hosted on external web server affected by latest Tomcat CVE-2025-24813

Forum|Forum|10 months ago
March 17, 2025
2 replies
1754 views

The latest vulnerability for Tomcat CVE-2025-24813 is reported to affect all Tomcat versions prior to 9.0.99. From the CVE - The vulnerability exists due to insufficient validation of user-supplied input when handling file uploads via HTTP PUT requests. A remote attacker can send a specially crafted HTTP PUT request to the server and gain access to sensitive information or even execute arbitrary code.

I manage both a CF 2021 and a CF 2023 installation, which as you know are on Tomcat 9.0.93. Both use Tomcat for the CF Admin console, but the hosted apps run on an external Apache web server. We have HTTP PUT disabled in Apache config using <LimitExcept> directive.

I'm aware it is futile asking when Adobe will put out an update to Tomcat (although if you _do_ have info, I'd be glad to hear it), but I was hoping to get answers to the following:

1. Are apps hosted on Apache vulnerable via the AJP Connector to Tomcat?

2. Is CF Admin console which runs on Tomcat vulnerable?

3. Is there a way to lock out HTTP PUT requests on ColdFusion Tomcat to mitigate this CVE?

Correct answer Charlie Arehart

Bell, see Pete Freitag's post today, clarifying why most cf folks do NOT need to worry about this asserted major vuln. As is often the case, thinking carefully/reading closely to vuln announcements can help spot why that's so.

That said, he doesn't answer your specific questions, which I would answer as no, no, no. The key point he makes is how the readonly attribute of the Tomcat web server is true by default, and as the Tomcat docs he links to show, that means that "HTTP commands like PUT and DELETE are rejected".

I could elaborate further on why I answer as I do, but see Pete's post. He may also see this and chime in, or you may want to ask him to come back to offer his thoughts on your questions. (If you ask there, I hope you'll bring his answers here, to help other readers).

See: Understanding and Checking for Tomcat CVE-2025-24813

BKBK

Community Expert

There is one crucial point, in addition to Charlie's comprehensive post:

the issue is not about PUT requests, it is about PARTIAL PUT requests.

A (full) put request is therefore not vulnerable.

Charlie Arehart

Community Expert

Well let's be clear that it's PETE'S comprehensive post, and I was quoting his. 🙂 And whether partial or not, the main point being made (by him and by me) is that NO such http write operations sent to the Tomcat web server are allowed (with tomcat configured the way cf comes by default). And THAT is the reason this vuln is of virtually no concern for cf folks.

/Charlie (troubleshooter, carehart. org)

BKBK

Community Expert

I would disagree, Charlie. You seem to assume that, in every ColdFusion server environment, Tomcat is "configured the way cf comes by default). And THAT is the reason this vuln is of virtually no concern for cf folks." However, such a sweeping generalization can be misleading. In fact, it can make some ColdFusion users to let their guard down.

As an application server, ColdFusion is tunable, depending on requirements and use-cases. A ColdFusion server administrator might have had cause to override the defaults.

I suppose that that is why Pete Freitag is careful to give the following list of conditions under which any server - including ColdFusion - will be vulnerable:

If all of the following were true, a malicious user could be able to view security sensitive files and/or inject content into those files:

- writes enabled for the default servlet (disabled by default);
- support for partial PUT (enabled by default);
- a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads;
- attacker having knowledge of the names of security sensitive files being uploaded;
- the security sensitive files being uploaded via partial PUT.

If all of the following were true, a malicious user could be able to perform remote code execution:

- writes enabled for the default servlet (disabled by default);
- support for partial PUT (enabled by default);
- the application uses Tomcat's file based session persistence with the default storage location;
- the application includes a library that may be leveraged in a deserialization attack.

Anyway, I think you misunderstood the reason for my last post. It was to allay @bell_the_cat 's concerns about HTTP PUT. I only wished to point out that the vulnerability concerns a partial put, not a put.

Charlie Arehart

Correct answer

Community Expert

Bell, see Pete Freitag's post today, clarifying why most cf folks do NOT need to worry about this asserted major vuln. As is often the case, thinking carefully/reading closely to vuln announcements can help spot why that's so.

That said, he doesn't answer your specific questions, which I would answer as no, no, no. The key point he makes is how the readonly attribute of the Tomcat web server is true by default, and as the Tomcat docs he links to show, that means that "HTTP commands like PUT and DELETE are rejected".

I could elaborate further on why I answer as I do, but see Pete's post. He may also see this and chime in, or you may want to ask him to come back to offer his thoughts on your questions. (If you ask there, I hope you'll bring his answers here, to help other readers).

See: Understanding and Checking for Tomcat CVE-2025-24813

/Charlie (troubleshooter, carehart. org)