Skip to content

fix: Update Tomcat to 10.1.35 to address CVE-2025-24813#4543

Open
kfiramar wants to merge 1 commit intoprovectus:masterfrom
kfiramar:fix/cve-2025-24813-tomcat-update
Open

fix: Update Tomcat to 10.1.35 to address CVE-2025-24813#4543
kfiramar wants to merge 1 commit intoprovectus:masterfrom
kfiramar:fix/cve-2025-24813-tomcat-update

Conversation

@kfiramar
Copy link

@kfiramar kfiramar commented Jul 13, 2025

Summary

This PR updates the embedded Tomcat version from 10.1.12 to 10.1.35 to fix CVE-2025-24813, a critical vulnerability that could lead to Remote Code Execution and/or Information disclosure.

Details

  • CVE ID: CVE-2025-24813
  • CVSS Score: 9.8 (Critical)
  • Component: tomcat-embed-el 10.1.12
  • Fixed Version: 10.1.35

Vulnerability Description

Path Equivalence vulnerability in Apache Tomcat's Default Servlet could allow:

  • Remote Code Execution
  • Information disclosure
  • Malicious content injection

The vulnerability affects:

  • Apache Tomcat 11.0.0-M1 through 11.0.2
  • Apache Tomcat 10.1.0-M1 through 10.1.34
  • Apache Tomcat 9.0.0.M1 through 9.0.98

Changes

  • Updated pom.xml to override Tomcat version to 10.1.35
  • This ensures all Tomcat embedded dependencies use the patched version

Testing

  • Built the project successfully with the updated dependency
  • The application compiles and packages without issues

References

🤖 Generated with Claude Code

@kfir-amar @claude
fix: Update Tomcat to 10.1.35 to address CVE-2025-24813
b546078 
This commit updates the embedded Tomcat version from 10.1.12 to 10.1.35
to fix CVE-2025-24813, a critical vulnerability (CVSS 9.8) that could
lead to Remote Code Execution and/or Information disclosure via the
Default Servlet in Apache Tomcat.

The vulnerability affects Apache Tomcat:
- from 11.0.0-M1 through 11.0.2
- from 10.1.0-M1 through 10.1.34
- from 9.0.0.M1 through 9.0.98

By updating to Tomcat 10.1.35, this vulnerability is resolved.

Fixes: CVE-2025-24813

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@kfiramar kfiramar requested a review from a team as a code owner July 13, 2025 11:20
github-actions[bot]
github-actions bot reviewed Jul 13, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello there kfiramar! 👋

Thank you and congrats 🎉 for opening your first PR on this project! ✨ 💖

We will try to review it soon!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kfiramar @kfir-amar