Typefi FAQ for CVE-2025-24813 – Typefi Support

14 April 2025

Typefi is aware of the recently disclosed security advisory concerning Apache Tomcat CVE-2025-24813. The Typefi engineering teams have investigated how this vulnerability may affect our customers. Our findings indicate that Typefi Server 8.14 and later (Tomcat 10.1.x) and Typefi Server 8.13 and earlier (Tomcat 9.0.x) are not affected by this vulnerability.

Why Typefi software is safe

The vulnerability in question requires specific conditions to be exploitable, most importantly that "writes to the Default Servlet are enabled"—a feature that is disabled by default in Apache Tomcat and remains disabled for all Typefi products.

Background

CVE-2025-24813 involves a path equivalence flaw in Apache Tomcat that could potentially allow attackers to view file system contents and potentially add malicious content. Exploiting the vulnerability requires meeting multiple specific conditions simultaneously:

writes to the Default Servlet are enabled (disabled by default),
sensitive file uploads are sub-directories of a target URL for public uploads,
attackers know the names of the files, and
those files are subject to partial PUT uploads enabled by default.

Certain configurations (where writes are enabled for the default servlet), and applications using file-based session persistence with default storage and exploitable libraries can potentially allow Remote Code Execution (RCE).

Are Typefi Cloud servers affected?

No. The Tomcat packages as shipped with Typefi Cloud do not have writes to the default servlet enabled, which is a required condition to exploit this vulnerability.

Are my on-premises Workgroup or Desktop servers affected?

No. The Tomcat packages as shipped with Typefi Server do not have writes to the default servlet enabled, which is a required condition to exploit this vulnerability.

What is Typefi doing to address this?

In our investigations, we have determined that none of our products or solutions are vulnerable to CVE-2025-24813 due to our default configuration. However, as part of our commitment to security, a future release of Typefi Server will incorporate a patched release of Tomcat 10.1.35 or later.

What actions should I take?

No immediate action is required. We recommend continuing to follow best practices of using strong and unique passwords, securing connections to Typefi Server via Proxy/Reverse Proxy when Typefi Server is public-facing, and updating your Typefi software regularly.

For more information on our product support policy and supported versions, see the Typefi product support matrix. If you need additional details or assistance, please contact Typefi Support.