Security Patch - May 2025

October 29, 2025

A new vulnerability was uncovered in the Apache Tomcat web application server, tracked under the following reference: CVE-2025-24813. It has a critical common vulnerability score (CVSS = 9.8) and a very high exploit prediction score (EPSS = 0.93672). Customers asked us whether their Jahia installations are affected. All Jahia installations come with a conf/web.xml file, where the readonly parameter of the Tomcat default servlet is not set. This means that the servlet is read-only by default and that PUT requests are declined by that servlet, so we expect that most Jahia environments are safe.

Affected versions

  • All versions of Jahia running with a Tomcat version lower than 9.0.99 on which the Tomcat configuration (conf/web.xml) has been modified by setting readonly for the default servlet to false
  • Jahia Cloud instances are not affected, the setting previously mentioned not being modified.
  • Jahia Docker images from Jahia 8.2.1.0 onwards and "new" Jahia on-premise installations of Jahia 8.2.1.0 use Tomcat version 9.0.99, which is not affected by CVE-2025-24813, even if the readonly parameter of the Tomcat default servlet is set to false.

Please be aware that upgrading Jahia with our fix-appliers on on-premise installations is never automatically upgrading Tomcat. Therefore all our Jahia upgrade instructions contain this notice:

We encourage you to regularly upgrade your Tomcat version in order to keep your environment up-to-date and safe. Here is the list of the vulnerabilities in older Tomcat 9 versions: https://tomcat.apache.org/security-9.html

This security advisory emphasises again that this notice needs to be taken seriously, because several older Tomcat 9 based CVEs are really exploitable on default Jahia installations. Please check the Tomcat version used on your installation and upgrade to at least 9.0.99 with the following instructions.

Addressing Tomcat vulnerabilities

To address the current and older vulnerabilities you need to upgrade the Tomcat version to a non-vulnerable version, which currently is at least 9.0.104.

To upgrade your Tomcat version, perform the following steps:

  1. Download the Tomcat version 9.0.104
  2. Shutdown Jahia
  3. Store the old Tomcat version as fallback somewhere else
  4. In your installation, backup or rename the existing Tomcat folder
  5. Unzip the new Tomcat
  6. Put back your ROOT or context-folder in the webapps-folder of Tomcat
  7. Copy the DB libraries listed below from /tomcat/lib (from the backup)
    derby-<version>.jar
    mysql-connector-java-<version>.jar
    mariadb-java-client-<version>.jar
    mssql-jdbc-<version>.jar
    ojdbc8-<version>.jar
    orai18n-<version>.jar
    postgresql-<version>.jar
  8. Copy and paste /tomcat/conf/server.xml from the backup - and add the parameter secretRequired="false" to the AJP Connector (if not already present)
  9. Copy and paste /tomcat/conf/catalina.properties from the backup
  10. Copy and paste /tomcat/bin/setenv.* (bat or sh) from the backup - and if not already present set org.apache.catalina.connector.RECYCLE_FACADES=false to disable the recycling of facade objects for requests (more details here)
  11. Start your environment

Mitigation

As an alternative to upgrading Apache Tomcat and if it is a requirement in your project that readonly of the default servlet is set to false, you can do the following :

  • Disable Partial PUT Support: If partial PUT functionality is not required, disable it by setting the allowPartialPut parameter to false.
Please do not hesitate to reach out to Jahia Support if you have any questions or concerns.