CVE ID: CVE-2025-24813
Vendor: Apache
Product: Tomcat
Date Added: 2025-04-01
Vulnerability: Apache Tomcat Path Equivalence Vulnerability
Notes: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq ; https://nvd.nist.gov/vuln/detail/CVE-2025-24813
CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2025-24813
@buherator @GossiTheDog @cisakevtracker CISA has been skeptical about this one too, from what I've heard, and has wanted to confirm that any exploitation was both successful and specifically this vulnerability.
@cR0w @buherator @cisakevtracker yeah, I’ve yet to find anything vuln tbh. I tested all the potentially impacted GitHub repos and none were actually vuln.
@GossiTheDog @buherator @cisakevtracker Given how it's all gone, it feels like an obscure bug was found and then it was found to be exploitable in an obscure configuration. And some operator somewhere saw the bug, saw their targets' systems, and finally found a hole that fit that particular peg.
Alternatively but less likely I think, it was quietly exploited against a very specific target and then it was discovered independently. With all the hype, the exploitation was finally discovered and properly demonstrated to CISA. In that case, I would be really interested in the whole story.