On 10 March 2025, a serious vulnerability was disclosed in certain versions of the Tomcat web-server, developed by the Apache Software Foundation.
This vulnerability was named CVE-2025-24813 and the Tomcat versions affected are:
- 9.x, from version 9.0.0-M1 to 9.0.98
- 10.x, from version 10.1.0-M1 to 10.1.34
- 11.x, from version 11.0.0-M1 to 11.0.2
Twproject, when installed via the executable file downloadable from the site, uses Apache Tomcat in its 9.0.46 version, thus potentially affected by the problem.
What is the vulnerability CVE-2025-24813
This vulnerability consists of a Remote Code Execution (RCE) coupled with an Information disclosure.
This means that a potential attacker would be able to execute arbitrary code and thus hack into the affected system.
As stated on the vulnerability page, this vulnerability is only dangerous and exploitable for an attack if five different conditions are met.
The most important of these conditions is that Tomcat’s DefaultServlet must state ‘writes enabled for the default servlet (disabled by default)’: in other words, writing for the servlet must be explicitly enabled, as it is disabled by default.
The standard Twproject installer is also disabled by default, so there is no danger in this case.
What Twproject users need to know
As we have seen, for those who installed Twproject without having applied any changes to the configuration files, there is no danger.
The situation is different for those who had installed Twproject using their own Apache Tomcat of one of the versions affected by the vulnerability.
To ensure that you have not exposed your server to an attack, it is good practice to follow the steps below.
1. Locate the file
The DefaultServlet is implemented in the class org.apache.catalina.servlets.DefaultServlet and is used to serve static files or provide directory listing.
The management of its properties is delegated to the web.xml file, located in Tomcat’s conf folder (in which all configuration files are located).
2. Check configuration
The default configuration of the DefaultServlet is as follows:
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
The parameter enabling the ability to write on the server is ‘readonly’ with the value ‘false’.
And so a configuration that exposes the server to malicious attacks should be as follows:
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
3. Intervene if necessary
If, therefore, the parameter has been specified and its value is ‘false’, it is essential to set it to ‘true’ in order to disable the writing of the DefaultServlet.
Alternatively, it is possible to upgrade Apache Tomcat to a version other than those listed above.
If, however, the parameter is not present in the file, there is no problem: the default value applies!
Please note: there may be more than one web.xml file, depending on the server architecture, so it is a good idea to check them all!
Final remarks
We hope that we have provided all the information needed to reassure our users and instruct them properly in case action is needed.
If you need more support, please do not hesitate to contact us through our channels.
For more on this topic:
https://tomcat.apache.org/security-9.html
