CVE-2025-24813: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet

I am sw0rd1ight.I found an Apache Tomcat RCE vulnerability in tomcat 9.0.98. If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack I reported this vulnerability through the official Apache Tomcat security email and received a fix along with a CVE number CVE-2025-24813. this is screenshot of email and ASF response email I submitted. {F4134453} {F4134456} {F4134458} {F4134462} {F4134464} {F4134466} ## Impact Execute system commands to obtain system permissions