“`html
The Apache Software Foundation has underscored critical weaknesses in Apache Tomcat, a popular open-source Java servlet container that supports numerous web applications.
On October 27, 2025, Apache revealed two vulnerabilities, CVE-2025-55752 and CVE-2025-55754, impacting various versions of Tomcat.
While the first presents a risk of remote code execution (RCE) under particular configurations, the second allows possible console manipulation, highlighting the necessity for prompt patching in corporate settings.
These concerns arise from regressions and unescaped sequences, potentially leaving servers susceptible to unauthorized access and control.
Directory Traversal Vulnerability Facilitates RCE
The more critical vulnerability, CVE-2025-55752, pertains to a directory traversal bug introduced while fixing an earlier problem (bug 60013).
In this regression, rewritten URLs are normalized prior to decoding, permitting attackers to manipulate query parameters and circumvent protections for sensitive directories such as /WEB-INF/ and /META-INF/.
If PUT requests are enabled, a configuration often reserved for trusted users, malicious files may be uploaded, resulting in RCE.
Discovered by Chumy Tsai of CyCraft Technology, this flaw is deemed of Important severity, underscoring its potential impact on unpatched systems running Tomcat in production.
Versions affected include Apache Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0-M11 to 9.0.108, with older end-of-life (EOL) releases also at risk.
The technical details revolve around URL rewriting rules that inadvertently permit path manipulation, exploiting the sequence of normalization and decoding processes to bypass security constraints.
| CVE ID | Severity | Affected Versions | CVSS Score | Technical Description | Credit |
|---|---|---|---|---|---|
| CVE-2025-55752 | Important | 11.0.0-M1 to 11.0.10 10.1.0-M1 to 10.1.44 9.0.0.M11 to 9.0.108 |
N/A (Important) | Directory traversal via rewritten URL normalization before decoding; enables file upload and RCE if PUT is enabled. Bypasses protections for /WEB-INF/ and /META-INF/. | Chumy Tsai (CyCraft) lists.apache |
Console Manipulation Via Log Escapes
In addition to the traversal issue, CVE-2025-55754 addresses inadequate neutralization of ANSI escape sequences within Tomcat’s log messages.
On Windows platforms with ANSI-supporting consoles, attackers could craft URLs to inject sequences that manipulate the console display, clipboard, or even mislead administrators into executing commands.
Although no direct attack method was detected for other OSes, the possibility for social engineering persists as a concern. Rated Low severity, this flaw impacts Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.40 to 9.0.108, in addition to select EOL versions like 8.5.60 to 8.5.100.
Identified by Elysee Franchuk of MOBIA Technology Innovations, the issue stems from unescaped logs, which allow control sequences to affect terminal behavior without requiring authentication.
| CVE ID | Severity | Affected Versions | CVSS Score | Technical Description | Credit |
|---|---|---|---|---|---|
| CVE-2025-55754 | Low | 11.0.0-M1 to 11.0.10 10.1.0-M1 to 10.1.44 9.0.0.40 to 9.0.108 |
N/A (Low) | Unescaped ANSI sequences in logs enable console/clipboard manipulation on Windows; potential command deception via crafted URLs. | Elysee Franchuk (MOBIA) lists.apache |
Experts indicate that while this is less urgent, combining it with other vulnerabilities could enhance threats in console-monitored environments.
Remediations
Apache encourages users to update to mitigated versions: Tomcat 11.0.11, 10.1.45, or 9.0.109 and newer, which resolve both vulnerabilities through improved URL handling and log escaping.
Organizations should review configurations, especially those allowing PUT requests alongside rewrites, to avert RCE chains. Considering Tomcat’s frequent use in Java-based applications, unpatched instances might encounter targeted attacks, reminiscent of previous exploits such as CVE-2025-24813.
“`