Cybersecurity

The Apache Software Foundation has reported two security vulnerabilities affecting multiple versions of Apache Tomcat, with one posing a significant risk of remote code execution on susceptible servers.

The vulnerabilities affect Apache Tomcat versions 9, 10, and 11, and administrators are advised to upgrade their installations without delay.

Vulnerability Details

Critical Directory Traversal Flaw Enables RCE

The most severe vulnerability, CVE-2025-55752, is rated as “Important” and originates from a regression during a previous bug fix.

This directory traversal flaw allows attackers to manipulate request URIs through rewritten URLs that are normalized before being decoded.

The vulnerability impacts rewrite rules that handle query parameters, potentially bypassing security constraints on sensitive directories like /WEB-INF/ and /META-INF/.

If PUT requests are enabled, attackers could exploit the vulnerability to upload malicious files and achieve remote code execution. However, PUT requests are generally restricted to trusted users, reducing the likelihood of exploitation in production environments.

The issue affects Apache Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0.M11 through 9.0.108, as discovered by security researcher Chumy Tsai from CyCraft Technology.

Console Manipulation Through Escape Sequences

The second vulnerability, CVE-2025-55754, carries a lower severity but still presents security concerns.

This vulnerability involves Apache Tomcat’s failure to properly escape ANSI escape sequences in log messages.

When running in a console environment on Windows systems that support ANSI escape sequences, specially crafted URLs can inject malicious escape sequences into log outputs.

These sequences can manipulate console displays and clipboard contents, potentially leading system administrators to execute attacker-controlled commands. While primarily observed on Windows platforms, similar attack vectors may exist on other operating systems.

The issue, identified by Elysee Franchuk of MOBIA Technology Innovations, affects Apache Tomcat versions 9, 10, and 11.

Mitigation and Updates

Apache has released patched versions to address both vulnerabilities. Organizations using affected Tomcat installations should upgrade to version 11.0.11, 10.1.45, or 9.0.109, depending on their deployment.

The security updates were announced on Mon, Oct 27, 2025. Detailed mitigation guidance is available through Apache’s official security advisories for each affected version series.