Analysis Summary

The Apache Software Foundation has disclosed two critical vulnerabilities in Apache Tomcat, a popular open-source Java servlet container widely used across enterprise and web environments. Announced on October 27, 2025, the flaws tracked as CVE-2025-55752 and CVE-2025-55754 affect multiple Tomcat versions, posing varying levels of risk. The first issue can lead to remote code execution (RCE) under specific configurations, while the second allows potential console manipulation on Windows systems. Both vulnerabilities highlight the urgent need for patching, particularly in production environments relying on Tomcat for hosting sensitive or business-critical web applications.

The most severe of the two, CVE-2025-55752, is a directory traversal vulnerability introduced as a regression in a previous bug fix (bug 60013). It affects Tomcat versions 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0-M11 to 9.0.108. The flaw arises from a logic error in URL rewriting, where rewritten URLs are normalized before decoding, allowing attackers to bypass security restrictions protecting directories like /WEB-INF/ and /META-INF/. If the vulnerable server has PUT requests enabled, an attacker could exploit this weakness to upload malicious files and achieve RCE. Discovered by a Researcher, the issue is rated “Important,” emphasizing its potential for exploitation in misconfigured or unpatched systems.

The second vulnerability, CVE-2025-55754, involves improper neutralization of ANSI escape sequences in Tomcat’s log messages. Found by Researcher, this flaw affects versions 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, 9.0.0.40 to 9.0.108, and certain EOL versions like 8.5.60 to 8.5.100. On Windows consoles that support ANSI sequences, attackers could craft URLs that inject escape codes into logs, potentially manipulating the console display or clipboard and tricking administrators into executing unintended commands. Although rated as “Low” severity and lacking a direct exploitation path on non-Windows systems, it still poses social engineering risks, especially when combined with other vulnerabilities or poor logging hygiene.

To mitigate these vulnerabilities, Apache strongly recommends upgrading to the patched releases Tomcat 11.0.11, 10.1.45, or 9.0.109 and later which include improved URL handling and proper log escaping mechanisms. Administrators should audit their configurations, ensuring that PUT requests are disabled unless absolutely necessary and that logging practices are secured to prevent injection-based manipulations. Given Tomcat’s extensive use in Java-based applications and web infrastructures, delayed patching could expose organizations to RCE attacks or console-based manipulations similar to past exploitation chains like CVE-2025-24813. Immediate action and strict configuration reviews are essential to safeguarding Tomcat deployments from these emerging threats.

Impact

• Remote Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-55752

• CVE-2025-55754

Remediation

• Upgrade Tomcat immediately to patched releases (11.0.11, 10.1.45, or 9.0.109+) on all servers.
• Disable HTTP PUT unless explicitly required PUT enables file uploads and raises RCE risk.
• If PUT is required, restrict it to authenticated users, specific IPs, or internal networks only.
• Review and harden URL rewrite rules (and temporarily disable unsafe rewrites) to prevent path-normalization bypasses.
• Harden logging: ensure log output is properly escaped, and avoid displaying raw request data in console logs.
• Deploy WAF rules to block suspicious path-traversal patterns and unusual upload attempts.
• Inventory & scan: find all Tomcat instances (including older/EOL versions) and scan them for the vulnerabilities.