The Apache Software Foundation Alerts Users to Serious Vulnerabilities in Tomcat
The Apache Software Foundation has recently unveiled critical vulnerabilities in Apache Tomcat, a prominent open-source Java servlet container integral to countless web applications.
On October 27, 2025, Apache disclosed two significant vulnerabilities, identified as CVE-2025-55752 and CVE-2025-55754, affecting various versions of Tomcat.
The first vulnerability presents a remote code execution (RCE) risk under specific configurations, while the latter permits console manipulation, highlighting an urgent need for remediation within enterprise environments.
Both vulnerabilities arise from regressions and inadequate escaping of sequences, potentially exposing systems to unauthorized intrusion and control.
Directory Traversal Vulnerability Facilitates RCE
The more critical vulnerability, CVE-2025-55752, pertains to a directory traversal flaw that emerged during the remediation of a prior issue (bug 60013).
This regression involves a process where rewritten URLs are normalized prior to decoding, enabling adversaries to manipulate query parameters and circumvent protections for sensitive directories, including /WEB-INF/ and /META-INF/.
If PUT requests are enabled—a configuration typically limited to trusted users—malicious entities can upload harmful files, resulting in RCE.
Identified by Chumy Tsai of CyCraft Technology, this vulnerability has been rated as Important severity, underscoring its potentially devastating effects on unpatched systems operating Tomcat in production environments.
Versions affected include Apache Tomcat 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0-M11 through 9.0.108; older end-of-life (EOL) releases are also susceptible.
The technical ramifications involve URL rewriting rules that inadvertently permit path manipulation, exploiting the sequence in which normalization and decoding are executed to bypass security constraints.
| CVE ID | Severity | Affected Versions | CVSS Score | Technical Description | Credit |
|---|---|---|---|---|---|
| CVE-2025-55752 | Important | 11.0.0-M1 to 11.0.10 10.1.0-M1 to 10.1.44 9.0.0-M11 to 9.0.108 | N/A (Important) | Directory traversal vulnerability via URL rewriting before decoding; allows file uploads and RCE if PUT is enabled, enabling bypass of /WEB-INF/ and /META-INF/ restrictions. | Chumy Tsai (CyCraft) lists.apache |
Console Manipulation via Log Escapes
In conjunction with the traversal vulnerability, CVE-2025-55754 addresses the inappropriate neutralization of ANSI escape sequences within Tomcat’s logging framework.
On Windows systems equipped with ANSI-supportive consoles, attackers may craft URLs designed to inject sequences that manipulate the console display, modify the clipboard, or even deceive administrators into executing unintended commands.
While no direct attack vectors for other operating systems have been documented, the risk for social engineering remains significant. This flaw, rated as Low severity, affects Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0.40 through 9.0.108, alongside some EOL versions, including 8.5.60 through 8.5.100.
Discovered by Elysee Franchuk of MOBIA Technology Innovations, the problem arises from unescaped log entries, which permit control sequences to alter terminal behavior without necessitating authentication.
| CVE ID | Severity | Affected Versions | CVSS Score | Technical Description | Credit |
|---|---|---|---|---|---|
| CVE-2025-55754 | Low | 11.0.0-M1 to 11.0.10 10.1.0-M1 to 10.1.44 9.0.0.40 to 9.0.108 | N/A (Low) | Unescaped ANSI sequences in log entries permit console/clipboard manipulation on Windows; potential for command deception via crafted URLs. | Elysee Franchuk (MOBIA) lists.apache |
Experts caution that, although this flaw is less critical, its conjunction with other vulnerabilities could exacerbate risks in console-monitored environments.
Call for Urgent Mitigation and Implications
Apache is urging users to upgrade to secure versions: Tomcat 11.0.11, 10.1.45, or 9.0.109 and later, which effectively address both vulnerabilities through improved URL handling and log escaping.
Organizations should conduct thorough audits of their configurations, particularly concerning enabled PUT requests coupled with rewrites, to thwart potential RCE pathways.
Given the widespread utilization of Tomcat in Java applications, unpatched systems could be ripe for targeted attacks, reminiscent of previous exploits such as CVE-2025-24813.
Source link: Cybersecuritynews.com.
