Skip to content

Mitigate CVE-2025-24813 by pinning patched Tomcat and hardening embedded servlet behavior#49

Draft
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/update-apache-tomcat-security-fix
Draft

Mitigate CVE-2025-24813 by pinning patched Tomcat and hardening embedded servlet behavior#49
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/update-apache-tomcat-security-fix

Conversation

Copilot AI commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This PR addresses the critical Tomcat partial PUT vulnerability path (CVE-2025-24813), which can enable RCE, information disclosure, or content corruption when write-capable default servlet behavior is exposed. It updates runtime Tomcat resolution and hardens embedded Tomcat request/servlet settings to reduce exploitability.

  • Dependency remediation

    • Pin Tomcat to a patched line by setting:
      • extra["tomcat.version"] = "9.0.99"
    • Ensures Spring Boot’s embedded Tomcat modules resolve to a fixed tomcat-embed-core version instead of the vulnerable baseline.
  • Embedded Tomcat hardening

    • Add TomcatSecurityConfig with a WebServerFactoryCustomizer<TomcatServletWebServerFactory> to:
      • Disable partial PUT handling via connector property:
        • allowPartialPut=false
      • Enforce read-only default servlet behavior:
        • readonly=true on the default servlet wrapper
factory.addConnectorCustomizers(connector ->
    connector.setProperty("allowPartialPut", "false"));

factory.addContextCustomizers(context -> {
    Container defaultServlet = context.findChild("default");
    if (defaultServlet instanceof Wrapper) {
        ((Wrapper) defaultServlet).addInitParameter("readonly", "true");
    }
});

Copilot AI changed the title [WIP] Update Apache Tomcat to fix CVE-2025-24813 vulnerability Mitigate CVE-2025-24813 by pinning patched Tomcat and hardening embedded servlet behavior Jun 29, 2026
Copilot AI requested a review from pagarwal-dev June 29, 2026 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants