Skip to content

fix: Update Tomcat to 10.1.35 to address CVE-2025-24813 #4543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: Update Tomcat to 10.1.35 to address CVE-2025-24813 #4543

wants to merge 1 commit into from

Conversation

kfiramar
Copy link

Summary

This PR updates the embedded Tomcat version from 10.1.12 to 10.1.35 to fix CVE-2025-24813, a critical vulnerability that could lead to Remote Code Execution and/or Information disclosure.

Details

  • CVE ID: CVE-2025-24813
  • CVSS Score: 9.8 (Critical)
  • Component: tomcat-embed-el 10.1.12
  • Fixed Version: 10.1.35

Vulnerability Description

Path Equivalence vulnerability in Apache Tomcat's Default Servlet could allow:

  • Remote Code Execution
  • Information disclosure
  • Malicious content injection

The vulnerability affects:

  • Apache Tomcat 11.0.0-M1 through 11.0.2
  • Apache Tomcat 10.1.0-M1 through 10.1.34
  • Apache Tomcat 9.0.0.M1 through 9.0.98

Changes

  • Updated pom.xml to override Tomcat version to 10.1.35
  • This ensures all Tomcat embedded dependencies use the patched version

Testing

  • Built the project successfully with the updated dependency
  • The application compiles and packages without issues

References

🤖 Generated with Claude Code

@kfir-amar @claude
fix: Update Tomcat to 10.1.35 to address CVE-2025-24813
b546078 
This commit updates the embedded Tomcat version from 10.1.12 to 10.1.35
to fix CVE-2025-24813, a critical vulnerability (CVSS 9.8) that could
lead to Remote Code Execution and/or Information disclosure via the
Default Servlet in Apache Tomcat.

The vulnerability affects Apache Tomcat:
- from 11.0.0-M1 through 11.0.2
- from 10.1.0-M1 through 10.1.34
- from 9.0.0.M1 through 9.0.98

By updating to Tomcat 10.1.35, this vulnerability is resolved.

Fixes: CVE-2025-24813

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@kfiramar kfiramar requested a review from a team as a code owner July 13, 2025 11:20
github-actions[bot]
github-actions bot reviewed Jul 13, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello there kfiramar! 👋

Thank you and congrats 🎉 for opening your first PR on this project! ✨ 💖

We will try to review it soon!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kfiramar @kfir-amar