CVE-2025-24813 is a remote code execution vulnerability in apache tomcat.
In https://www.petefreitag.com/blog/tomcat-writes-enabled/, the author writes that checking the web.xml files can show whether it applies.
How can this be found out in spring boot, if there are no web.xml files in the resulting jar?
The default servlet is disabled by default in spring since 2020, see: https://github.com/spring-projects/spring-boot/commit/a19a56541074cf891a58f5bffe5e2357c880ebea#diff-829ef53f73b35e9544921e277455052df073d15569867a2ee8be29daebf2a19f
Therefore a first indication of a project potentially being vulnerable is looking if they reactivate the default servlet with the property "server.servlet.register-default-servlet=true"
The readonly property can also be set programatically and example code of what this would look like:
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> customizer() {
return factory -> factory.addContextCustomizers(context -> {
ServletContext servletContext = context.getServletContext();
Map<String, ? extends ServletRegistration> servletRegistrations = servletContext.getServletRegistrations();
ServletRegistration.Dynamic defaultServletRegistration = (ServletRegistration.Dynamic) servletRegistrations.get("default");
if (defaultServletRegistration != null) {
defaultServletRegistration.setInitParameter("readonly", "false");
}
});
}