The Apache Software Foundation has highlighted critical flaws in Apache Tomcat, a widely used open-source Java servlet container that powers numerous web applications.
On October 27, 2025, Apache disclosed two vulnerabilities, CVE-2025-55752 and CVE-2025-55754, affecting multiple versions of Tomcat.
While the first poses a risk of remote code execution (RCE) under specific configurations, the second enables potential console manipulation, underscoring the need for immediate patching in enterprise environments.
These issues stem from regressions and unescaped sequences, potentially exposing servers to unauthorized access and control.
Directory Traversal Flaw Enables RCE
The more severe vulnerability, CVE-2025-55752, involves a directory traversal bug introduced in the fix for an earlier issue (bug 60013).
In this regression, rewritten URLs are normalized before decoding, allowing attackers to manipulate query parameters and bypass protections for sensitive directories like /WEB-INF/ and /META-INF/.
If PUT requests are enabled, a configuration typically restricted to trusted users, malicious files can be uploaded, leading to RCE.
Discovered by Chumy Tsai of CyCraft Technology, this flaw is rated as Important severity, emphasizing its potential impact on unpatched systems running Tomcat in production.
Affected versions include Apache Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0-M11 to 9.0.108, with older end-of-life (EOL) releases also vulnerable.
The technical specifics revolve around URL rewriting rules that inadvertently allow path manipulation, exploiting the order of normalization and decoding processes to evade security constraints.
| CVE ID | Severity | Affected Versions | CVSS Score | Technical Description | Credit |
|---|---|---|---|---|---|
| CVE-2025-55752 | Important | 11.0.0-M1 to 11.0.10 10.1.0-M1 to 10.1.44 9.0.0.M11 to 9.0.108 |
N/A (Important) | Directory traversal via rewritten URL normalization before decoding; enables file upload and RCE if PUT enabled. Bypasses /WEB-INF/ and /META-INF/ protections. | Chumy Tsai (CyCraft) lists.apache |
Console Manipulation Through Log Escapes
In addition to the traversal issue, CVE-2025-55754 addresses improper neutralization of ANSI escape sequences in Tomcat’s log messages.
On Windows systems with ANSI-supporting consoles, attackers could craft URLs to inject sequences that manipulate the console display, clipboard, or even trick administrators into executing commands.
Although no direct attack vector was identified for other OSes, the potential for social engineering remains a concern. Rated Low severity, this flaw affects Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.40 to 9.0.108, plus select EOL versions like 8.5.60 to 8.5.100.
Identified by Elysee Franchuk of MOBIA Technology Innovations, the issue arises from unescaped logs, allowing control sequences to influence terminal behavior without authentication.
| CVE ID | Severity | Affected Versions | CVSS Score | Technical Description | Credit |
|---|---|---|---|---|---|
| CVE-2025-55754 | Low | 11.0.0-M1 to 11.0.10 10.1.0-M1 to 10.1.44 9.0.0.40 to 9.0.108 |
N/A (Low) | Unescaped ANSI sequences in logs enable console/clipboard manipulation on Windows; potential command trickery via crafted URLs. | Elysee Franchuk (MOBIA) lists.apache |
Experts note that while less critical, combining this with other flaws could amplify threats in console-monitored setups.
Mitigations
Apache urges users to upgrade to mitigated versions: Tomcat 11.0.11, 10.1.45, or 9.0.109 and later, which address both vulnerabilities through enhanced URL handling and log escaping.
Organizations should audit configurations, particularly those enabling PUT requests alongside rewrites, to prevent RCE chains. Given Tomcat’s prevalence in Java-based applications, unpatched instances could face targeted attacks, echoing earlier exploits like CVE-2025-24813.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
