Security Advisory: Apache Tomcat CVE-2025-24813 and Xerox DocuShare

Applies To

Overview

CVE-2025-24813 is an Apache Tomcat path equivalence vulnerability involving a write-enabled DefaultServlet and additional conditions such as partial PUT handling and specific upload paths.

Although exploitation requires more than Tomcat version alone, Xerox produced updated Tomcat patch levels for the supported DocuShare versions so customers can align to the fixed 9.0.106.

What the Vulnerability Requires

Apache identified several conditions that must align for exploitation.

• Tomcat in an affected version range prior to the fixed release.
• The Tomcat DefaultServlet configured to allow writes, which is not the default Tomcat setting.
• Partial PUT support available to the attacker.
• A deployment pattern where security-sensitive upload paths or file-based session persistence create an exploitable target.

DocuShare Assessment

What You Should Do

• If you are running DocuShare 7.5, 7.6, or 7.7, confirm that the applicable DocuShare Tomcat patch has been installed so your environment is using Apache Tomcat 9.0.106.
• If that DocuShare Tomcat patch has not been installed, schedule it for the affected 7.x version.
• If you are running DocuShare 8.0, verify that your environment is using the standard DocuShare 8.0 build that ships with Apache Tomcat 9.0.106.
• If you maintain Tomcat customizations, also confirm that the DefaultServlet has not been made write-enabled.