Downloads:
Verj.io Studio Links:
Windows 64 bit: https://downloads.verj.io/verjio/v5.13. ... _win64.exe
Linux 64 bit: https://downloads.verj.io/verjio/v5.13. ... x64.tar.gz
Mac: https://downloads.verj.io/verjio/v5.13. ... _5_mac.dmg
On-premise Server Links
Windows 64 bit: https://downloads.verj.io/verjio/v5.13. ... _win64.exe
Linux 64 bit: https://downloads.verj.io/verjio/v5.13. ... x64.tar.gz
This release is a maintenance release and contains an important Tomcat security fix.
Security Fixes in V5.13.5
- Upgrade to tomcat 9.0.102 that fixes:
- CVE-2025-24813 - Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet.
The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by ".".
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
- CVE-2025-24813 - Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet.
Release notes and installation instructions:
See the V5.13.5 Readme