CVE-2025-24813 Vulnerability in Tomcat versions 9.0, 10.1 and 11.0

[DSpace Technical Support]

All,

You may have already come across this, but Apache Tomcat has had a major RCE (Remove Code Execution) vulnerability (CVE-2025-24813) announced within the last week, and exploits are already occurring.

While not all installations of Tomcat may be impacted, it is important for all DSpace sites (which often use Tomcat) review the vulnerability information and/or consider an immediate upgrade to your Tomcat installation.

Vulnerable versions of Tomcat include 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2.

You are NOT impacted if you are already running Tomcat 9.0.99, 10.1.35 or 11.0.3 (or any later Tomcat release).

For more information see these resources:
https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html
https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24813

Tim

[Michael Plate]

Hi Tim,

thanks for the information.
What about those of us running the embedded version in server-boot.jar -
looking at the logs ours tells

2025-03-18 17:35:00,130 INFO unknown unknown
org.apache.catalina.core.StandardEngine @ Starting Servlet engine:
[Apache Tomcat/10.1.24]

Version seems to be 10.1.24 . Presumably we do need to rebuild ?
My maven repo contains this:

.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/
10.1.24 9.0.75

Cleaning the maven repo and rebuilding did not update to anything newer
than 10.1.24.

How to does one continue ?

CU

Michael

Am 18.03.25 um 17:16 schrieb DSpace Technical Support:

[…]

[DSpace Technical Support]

Hi Michael,

Good question. If you are using the embedded Tomcat (provided by Spring Boot and introduced in DSpace 8), then you should be able to tell Spring Boot to build with a different version by specifying this property in your Parent POM (the root "pom.xml" in the src folder):

<tomcat.version>10.1.39</tomcat.version>

This setting would go in the "<properties>" section alongside all the other version tags that DSpace uses during the build process: https://github.com/DSpace/DSpace/blob/dspace-8.1/pom.xml#L19

Alternatively, if you are running DSpace 8.1 already, you could updated the existing "spring-boot.version" setting to be: "<spring-boot.version>3.4.3</spring-boot.version>", as that will also pull in a fixed version of Tomcat 10.1.x.  (I'm not sure that change will work with an 8.0 installation though, because it used an older version of Spring Boot.)

After making either of these changes to your pom.xml, you would need to rebuild your DSpace installation, at which point Spring Boot should pull in an updated version of Tomcat.

Tim

[mrwer...@gmail.com]

Hi Tim and others,

 

On DSpace 8.0 I have been able to change the version using the attached patch file. I found that the tomcat.version property alone wasn’t enough to change it and so ended up overriding the dependencies.

 

-Andrew

--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/dspace-tech/10c94e72-d977-436a-bb78-2d97f878967cn%40googlegroups.com.

[Michael Plate]

Hi Andrew,

Am 19.03.25 um 01:12 schrieb mrwer...@gmail.com:

> Hi Tim and others,
>
> On DSpace 8.0 I have been able to change the version using the attached
> patch file. I found that the tomcat.version property alone wasn’t enough
> to change it and so ended up overriding the dependencies.

[…]

thanks for the patch 🩹 !

Michael