CVE-2025-24813 - Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet

Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet - CVE-2025-24813

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
• attacker knowledge of the names of security sensitive files being uploaded
• the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• application was using Tomcat's file based session persistence with the default storage location
• application included a library that may be leveraged in a deserialization attack

Redwood Engineering is aware of this vulnerability and is working to patch Tomcat in Redwood Platform to a version that is not affected by this vulnerability.

Reference:
[ENV-2993] Patch Tomcat 10 to fix CVE-2025-24813 - Jira