How to Mitigate CVE-2025-24813 in Apache Tomcat for Camunda 7.20?

Hi everyone,

we got a information about a critical security vulnerability (CVE-2025-24813) affecting Apache Tomcat. Since we are running Camunda BPM Runtime 7.20 (Community Edition) on Apache Tomcat 9.0.75, I would like to ask for advice on the best way to mitigate this issue.

System Details:

• Camunda BPM Runtime: 7.20.0 (Community Edition)
• Application Server: Apache Tomcat 9.0.75
• JDK: OpenJDK 17.0.14
• Database: PostgreSQL 16.6

Questions:

1. What is the recommended approach to patch or upgrade Apache Tomcat in a Camunda 7 environment?
2. Are there any known compatibility issues when upgrading Tomcat to a newer version?
3. Is there a preferred way to update Tomcat without affecting Camunda deployments?

I appreciate any guidance or best practices from the community. Thanks in advance!

If this is Community edition then you have to apply the vulnerability pataches your self for Tomcat. What type of distribution are you using? zip or docker image?

Here is how we manage it for us:

1. Upgrade camunda version every 6 months.
2. Replace vulnerable jars with new jars. You need to have certain level of understanding of distro for this follwed by series of testing.

On side note it’ s easy to patch dependencies in Springboot based camunda projects but you have build that project yourself.
Any way after October 2025 Camunda CE will be end of life so it will become very difficult to manage vulnerabilities over the years.