Apache Tomcat 反序列化远程代码执行漏洞
漏洞信息
漏洞名称: Apache Tomcat 反序列化远程代码执行漏洞
漏洞编号:
- CVE: CVE-2025-24813
漏洞类型: 反序列化
漏洞等级: 严重
漏洞描述: Apache Tomcat是一个广泛使用的开源Java Servlet容器,实现了Java Servlet和JavaServer Pages (JSP)技术,为众多企业级Web应用提供运行环境。由于其高性能和稳定性,Tomcat在全球范围内被广泛应用于各种规模的Web服务部署。此次发现的漏洞CVE-2025-24813涉及Tomcat的反序列化机制,攻击者可以通过构造恶意的会话文件并利用HTTP PUT请求上传至服务器,进而触发反序列化过程执行任意Java代码。该漏洞的根源在于Tomcat在处理会话文件时未能充分验证输入数据的合法性,导致不安全的反序列化操作。攻击者利用此漏洞可以在未授权的情况下远程执行任意命令,完全控制受影响的服务器,可能导致数据泄露、服务中断甚至更严重的安全事件。值得注意的是,此漏洞的利用不需要任何形式的身份验证,且可以通过网络远程触发,因此其危害性极高。受影响的Tomcat版本包括9.0.0.M1至9.0.98、10.1.0-M1至10.1.34以及11.0.0-M1至11.0.2。
产品厂商: Apache
产品名称: Apache Tomcat
影响版本: 9.0.0.M1 <= version <= 9.0.98, 10.1.0-M1 <= version <= 10.1.34, 11.0.0-M1 <= version <= 11.0.2
来源: https://github.com/sentilaso1/CVE-2025-24813-Apache-Tomcat-RCE-PoC
类型: CVE-2025:github search
仓库文件
- CVE-2025-24813.py
- README.md
来源概述
CVE-2025-24813 Apache Tomcat RCE PoC
Description
This is a Proof of Concept (PoC) for CVE-2025-24813, a Remote Code Execution (RCE) vulnerability in Apache Tomcat. The vulnerability arises from unsafe deserialization of crafted session files uploaded via HTTP PUT requests, allowing attackers to execute arbitrary code remotely on vulnerable Tomcat servers.
Vulnerability Details
- CVE ID: CVE-2025-24813
- Affected Software: Apache Tomcat (versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, 11.0.0-M1 to 11.0.2)
- Type: Remote Code Execution (RCE)
- Attack Vector: HTTP PUT with crafted session payload + HTTP GET to trigger deserialization
- Impact: Remote attacker can execute arbitrary Java code on the server
Prerequisites
- Target must be running a vulnerable version of Apache Tomcat
- HTTP PUT requests must be allowed to upload files to a writable directory
- Ability to trigger deserialization by accessing the uploaded session file
- Java environment for generating payloads (e.g., using ysoserial)
Usage
Generate payload (optional, if not included):
java -jar ysoserial.jar CommonsCollections1 “your_command” > payload.serRun the PoC script:
python3 CVE-2025-24813.py[options] The script will upload the malicious session file and trigger remote code execution.
Disclaimer
This PoC is for educational and authorized testing purposes only. Do NOT use it on systems without explicit permission. The author is not responsible for any misuse or damage caused by this tool.