Regarding this very serious Apache Tomcat vulnerability:
There is a proof-of-concept exploit here, written in Python.
This script will test your server and show if it is vulnerable.
I'm a mac user, but since modern macOS does not have Python installed, I tested using Ubuntu 24:
Steps
find or create a VM running linux. I used Ubuntu 24. For example, if you are running Parallels on macOS, you can download and create a new Ubuntu VM in a few minutes.
download the exploit test file from GitHub
Click on the file CVE_2025_24813.py then click the download arrow which looks like this:
open the ubuntu Terminal (to find the Terminal app, click the bar icon on the top upper left of screen, type Terminal)
in the Terminal app, run these commands
# go to the downloads folder
cd Downloads
# run the test script
# replace the URL with your server URL - include the /fmi/webd path
python3 ./CVE_2025_24813.py https://example.com/fmi/webd
You should see something like this:
[*] Session ID: XXXXXXXXXXXXXXXXXXXX.jwpc1
[-] Server is not writable (HTTP 400)
I have tested with servers running FMS 20.3.2.205 and none seem to be vulnerable.
Edit to add:
Tested FMS 20.3.2.205 (macOS, Apple Silicon) : not vulnerable
Tested FMS 20.3.4.400 (macOS, Apple Silicon) : not vulnerable
I suppose one could try manually patching in a newer Tomcat version, but this seems like a risky gambit itself, as I'm sure Claris would not support such a version.
This does point out the fact that Claris really needs either a more rapid release model, or the ability to update components (Tomcat, WebDirect...) on an individual basis.
Thanks for this info. I visited the GitHub exploit page and its results examples show that there should be a statement "does not appear vulnerable or exploit failed." - Did that show up for you? Also the order of your example is not the same as the one on the exploit page. Maybe it has been updated since then? Could you clarify please.
I contacted Claris about that and they confirmed they do not support it and would not help in anyway. Which is fair enough. I contacted GOYA and they were willing to help but were quite cautious in offering to be involved. In the end I did not proceed with their help and they pointed me to the community to get it on the Claris radar so I took that approach instead.
Also: latest FMS has tomcat 10.1.26 with the latest tomcat being 10.1.39 released March 7th. It is very sad how Claris always allows this to lag far behind. I am not sure our CyberSecurityUnit will be interested in the configuration settings make it 'safe', their beef remains the delay in Claris updating something so critical and exposed. And from the tomcat website " Please note that Tomcat 10.0.x has reached end of life and is no longer supported. Vulnerabilities reported after 31 October 2022 were not checked against the 10.0.x branch and will not be fixed. Users should upgrade to 10.1.x or later to obtain security fixes."
I believe the exploit requires more than one setting to be ON. In the case when Tomcat has writing turned off, there can be no exploit, so the script exits early. My interpretation is this means "not vulnerable". It would be nice if it said "not vulnerable" but it doesn't in this case.
Sorry, I don't understand this comment...
I repeated the test (now, after having updated my server to FMS 20.3.4) and basically get the same output:
[*] Session ID: C0ADE07B91F69867EC267CEDA542E936.jwpc1
[-] Server is not writable (HTTP 400)
FMS has been using 10 for a while so tomcat 9 is irrelevant. They are also releasing updates for Tomcat 10 as well - but the point is apache have said they will not be releasing updates anymore - thankfully they are continuing to release security updates but they could stop - and Claris needs to stop dragging their feet and move to 11 or at least be patching to the latest tomcat 10 in a more timely fashion.
I agree with you, but I still use Tomcat 9 for SpringBoot 2.x support. If I move to Tomcat 10/11, SpringBoot (2.x) no longer works and would require some refactoring. Not a bad idea to refactor, of course, but no compelling reason to do so since version 9 is still getting vulnerability updates.
I got a reply from the Claris Community Issues thread where I have a post from March 2023 when I started having issues with our cyber security unit due to Tomcat being out of date - it addresses this specific vulnerability and comes from a Claris employee who posts in the community:
Claris Engineering has reviewed the reported Apache Tomcat vulnerabilities CVE-2024-50379 and CVE-2025-24813 as they relate to certain open source libraries that may impact FileMaker products.
After our review, we have determined that FileMaker Server is not vulnerable to these specific security flaws.
However, as part of our ongoing security maintenance process and to stay current, an upcoming release of FileMaker Server will include an updated JWPC Tomcat package that addresses the reported Apache Tomcat vulnerabilities mentioned above.
