The Apache Software program Basis has highlighted important flaws in Apache Tomcat, a extensively used open-source Java servlet container that powers quite a few net purposes.
On October 27, 2025, Apache disclosed two vulnerabilities, CVE-2025-55752 and CVE-2025-55754, affecting a number of variations of Tomcat.
Whereas the primary poses a danger of distant code execution (RCE) beneath particular configurations, the second allows potential console manipulation, underscoring the necessity for instant patching in enterprise environments.
These points stem from regressions and unescaped sequences, probably exposing servers to unauthorized entry and management.
Listing Traversal Flaw Allows RCE
The extra extreme vulnerability, CVE-2025-55752, includes a listing traversal bug launched within the repair for an earlier difficulty (bug 60013).
On this regression, rewritten URLs are normalized earlier than decoding, permitting attackers to control question parameters and bypass protections for delicate directories like /WEB-INF/ and /META-INF/.
If PUT requests are enabled, a configuration usually restricted to trusted customers, malicious information may be uploaded, resulting in RCE.
Found by Chumy Tsai of CyCraft Expertise, this flaw is rated as Vital severity, emphasizing its potential impression on unpatched methods working Tomcat in manufacturing.
Affected variations embrace Apache Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0-M11 to 9.0.108, with older end-of-life (EOL) releases additionally susceptible.
The technical specifics revolve round URL rewriting guidelines that inadvertently enable path manipulation, exploiting the order of normalization and decoding processes to evade safety constraints.
CVE IDSeverityAffected VersionsCVSS ScoreTechnical DescriptionCreditCVE-2025-55752Important11.0.0-M1 to 11.0.1010.1.0-M1 to 10.1.449.0.0.M11 to 9.0.108N/A (Vital)Listing traversal through rewritten URL normalization earlier than decoding; allows file add and RCE if PUT enabled. Bypasses /WEB-INF/ and /META-INF/ protections.Chumy Tsai (CyCraft) lists.apache
Console Manipulation By Log Escapes
Along with the traversal difficulty, CVE-2025-55754 addresses improper neutralization of ANSI escape sequences in Tomcat’s log messages.
On Home windows methods with ANSI-supporting consoles, attackers might craft URLs to inject sequences that manipulate the console show, clipboard, and even trick directors into executing instructions.
Though no direct assault vector was recognized for different OSes, the potential for social engineering stays a priority. Rated Low severity, this flaw impacts Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.40 to 9.0.108, plus choose EOL variations like 8.5.60 to eight.5.100.
Recognized by Elysee Franchuk of MOBIA Expertise Improvements, the difficulty arises from unescaped logs, permitting management sequences to affect terminal conduct with out authentication.
CVE IDSeverityAffected VersionsCVSS ScoreTechnical DescriptionCreditCVE-2025-55754Low11.0.0-M1 to 11.0.1010.1.0-M1 to 10.1.449.0.0.40 to 9.0.108N/A (Low)Unescaped ANSI sequences in logs allow console/clipboard manipulation on Home windows; potential command trickery through crafted URLs.Elysee Franchuk (MOBIA) lists.apache
Specialists word that whereas much less important, combining this with different flaws might amplify threats in console-monitored setups.
Mitigations
Apache urges customers to improve to mitigated variations: Tomcat 11.0.11, 10.1.45, or 9.0.109 and later, which handle each vulnerabilities via enhanced URL dealing with and log escaping.
Organizations ought to audit configurations, significantly these enabling PUT requests alongside rewrites, to forestall RCE chains. Given Tomcat’s prevalence in Java-based purposes, unpatched situations might face focused assaults, echoing earlier exploits like CVE-2025-24813.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
