Here’s a deep dive into two recent high-profile security flaws—Tomcat’s Partial PUT attack and Camel’s Header Hijack—explaining their mechanisms, risks, and real-world exploitation scenarios.
Tomcat’s Partial PUT Attack
Overview
- Vulnerability Identifier: CVE-2025-24813
- Impact: Unauthenticated Remote Code Execution (RCE)
- Affected Versions: Apache Tomcat 9.0.0.M1–9.0.98, 10.1.0-M1–10.1.34, 11.0.0-M1–11.0.2
How the Attack Works
The Partial PUT attack exploits Tomcat’s support for the HTTP PUT method with the Content-Range header, which allows partial file updates. Tomcat can persist HTTP sessions by serializing them to disk. If partial PUT is enabled, attackers can manipulate session files in a way that leads to code execution.
Example Exploit Scenario
- Crafting the Malicious Session File:
- An attacker prepares a serialized Java object containing a payload (for example, a reverse shell).
- Uploading with Partial PUT:
- The attacker sends a
PUTrequest with theContent-Rangeheader to partially overwrite a session file on the Tomcat server. - Example HTTP request:text
PUT /path/to/session/file HTTP/1.1 Host: vulnerable.example.com Content-Range: bytes 0-99/100 Content-Length: 100 [malicious serialized object bytes]
- The attacker sends a
- Triggering Deserialization:
- The attacker sends a request with the corresponding session ID, causing Tomcat to deserialize the session file and execute the payload.
Key Technical Details
- No Authentication Required: Attackers do not need valid credentials.
- Low Complexity: No special conditions or user interaction required.
- Root Cause: Unsafe handling of partial PUT requests and insecure deserialization of session files.
Mitigation Strategies
- Upgrade Tomcat: Apply the latest security patches.
- Disable Partial PUT: If not required, configure Tomcat to reject partial PUT requests.
- Restrict File Uploads: Limit write permissions to session storage directories.
Camel’s Header Hijack Attack
Overview
- Vulnerability Identifier: CVE-2025-27636
- Impact: Arbitrary header injection, potential RCE depending on configuration
- Affected Versions: Apache Camel 4.10.0–4.10.1, 4.8.0–4.8.4, 3.10.0–3.22.3
How the Attack Works
Camel’s HTTP endpoints filter incoming headers to prevent attackers from setting internal headers (like those starting with “Camel” or “org.apache.camel.”). However, the filter was case-sensitive and could be bypassed by manipulating header casing.
Example Exploit Scenario
- Bypassing the Header Filter:
- The attacker crafts an HTTP request with a header such as
CAmelExecCommandExecutableinstead ofCamelExecCommandExecutable.
- The attacker crafts an HTTP request with a header such as
- Triggering Command Execution:
- If the Camel route uses the Exec component, the malicious header can set the executable command.
- Example HTTP request:text
POST /camel/exec HTTP/1.1 Host: vulnerable.example.com CAmelExecCommandExecutable: /bin/bash CAmelExecCommandArgs: -c, whoami [optional body] - The backend may execute
/bin/bash -c whoami, leaking system information or enabling further attacks.
Key Technical Details
- Remote Exploit: Any exposed Camel HTTP endpoint is a potential target.
- No Authentication Needed: Attackers do not need credentials.
- Complexity: Requires knowledge of application internals and specific configurations.
Mitigation Strategies
- Upgrade Camel: Update to a patched version.
- Harden Header Filters: Enforce case-insensitive filtering and validate headers strictly.
- Limit Exposure: Restrict public access to Camel HTTP endpoints.
Comparative Table
| Attack | Vulnerability | Impact | Authentication Needed | Complexity | Severity | Key Mitigation |
|---|---|---|---|---|---|---|
| Tomcat Partial PUT | CVE-2025-24813 | Remote Code Execution | No | Low | Critical | Patch, disable partial PUT |
| Camel Header Hijack | CVE-2025-27636 | Header Injection / RCE | No | High | Moderate | Patch, harden header filters |
