Full Report
The Apache Software Foundation has disclosed two new security vulnerabilities affecting multiple versions of Apache Tomcat, warning system administrators to take immediate action. The flaws, identified as CVE-2025-55752 and CVE-2025-55754, were officially announced on October 27, 2025, and impact Tomcat versions 9, 10, and 11. CVE-2025-55752: Directory Traversal Leading to Remote Code Execution The more serious of the two vulnerabilities, CVE-2025-55752, is classified as “Important” severity. It stems from a regression introduced during the fix for an earlier issue (bug 60013). The flaw enables directory traversal via rewritten URLs, allowing an attacker to manipulate request URIs that are normalized before being decoded. This behavior can enable attackers to bypass Tomcat’s security mechanisms that protect sensitive directories such as /WEB-INF/ and /META-INF/. The situation becomes especially dangerous if HTTP PUT requests are enabled on the server. Under these conditions, an attacker could exploit the vulnerability to upload malicious files, potentially achieving remote code execution (RCE) on the host system. Security experts note that while this attack vector is severe, exploitation is less likely in typical production environments since PUT requests are usually restricted to trusted users. The vulnerability affects the following Apache Tomcat versions: 11.0.0-M1 through 11.0.10 10.1.0-M1 through 10.1.44 9.0.0.M11 through 9.0.108 Older, end-of-life (EOL) versions may also be at risk. Mitigation: Administrators are advised to upgrade to Apache Tomcat 11.0.11, 10.1.45, or 9.0.109 or later. These patched versions resolve the issue. The flaw was discovered by Chumy Tsai of CyCraft Technology, who was credited for reporting the vulnerability. In the official advisory, Mark Thomas from the Apache Software Foundation explained that the issue resulted from a regression where “the rewritten URL was normalized before it was decoded.” This allowed attackers to manipulate query parameters in rewrite rules and bypass constraints protecting sensitive paths. CVE-2025-55754: Console Manipulation Through Log Injection The second flaw, CVE-2025-55754, has been rated as “Low” severity but still poses a notable risk. It allows console manipulation via ANSI escape sequences in log messages when Apache Tomcat is running in a console environment, most notably on Windows systems that support these sequences. Attackers can craft special URLs that, when logged by Tomcat, inject escape sequences into the console output. These can alter the console’s appearance or clipboard contents and could trick administrators into executing unintended commands. Although primarily observed on Windows systems, researchers caution that similar attack patterns could occur on other platforms. The issue affects the same version ranges as CVE-2025-55752: 11.0.0-M1 through 11.0.10 10.1.0-M1 through 10.1.44 9.0.40 through 9.0.108 Mitigation: Users should upgrade to Apache Tomcat 11.0.11, 10.1.45, or 9.0.109, which includes fixes for both vulnerabilities. This vulnerability was discovered by Elysee Franchuk of MOBIA Technology Innovations, who was credited with the advisory. Timeline and Official Advisory The Apache Software Foundation published its security advisory on October 27, 2025, urging organizations to update their Tomcat installations without delay. The announcement outlined detailed mitigation steps and confirmed that both vulnerabilities were resolved in the latest stable releases of the affected branches. Recommended Actions for Administrators System administrators using Apache Tomcat are urged to: Identify affected deployments by checking installed versions against the vulnerable ranges. Disable or restrict HTTP PUT requests unless necessary, as this setting is key to potential exploitation of CVE-2025-55752. Apply the latest updates—Tomcat 11.0.11, 10.1.45, or 9.0.109—to address both vulnerabilities. Review logging and console configurations, especially on Windows systems, to mitigate risks associated with CVE-2025-55754. Monitor for suspicious activity, such as unexpected uploads, unusual log entries, or abnormal console behavior.
Analysis Summary
This is a summary of the disclosed Apache Tomcat vulnerabilities (CVE-2025-55752 and CVE-2025-55754) announced on October 27, 2025.
---
# Vulnerability: Two Security Flaws in Apache Tomcat (Directory Traversal RCE and Log Injection)
## CVE Details
### CVE-2025-55752
- CVE ID: CVE-2025-55752
- CVSS Score: Not explicitly provided, but classified as **"Important" severity**.
- CWE: Likely related to Path Traversal (CWE-22).
### CVE-2025-55754
- CVE ID: CVE-2025-55754
- CVSS Score: Not explicitly provided, but classified as **"Low" severity**.
- CWE: Not explicitly provided, related to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection' family, potentially related to improper log sanitization).
## Affected Systems
- Products: Apache Tomcat
- Versions:
- 11.0.0-M1 through 11.0.10
- 10.1.0-M1 through 10.1.44
- 9.0.0.M11 through 9.0.108 (Note: The article also notes 9.0.40 through 9.0.108 in one instance, the broader range is used here).
- Configurations:
- **CVE-2025-55752:** Exploitation leading to RCE is significantly more dangerous if **HTTP PUT requests are enabled** on the server.
## Vulnerability Description
### CVE-2025-55752 (Directory Traversal Leading to RCE)
This flaw is a regression from a previous fix (bug 60013). It involves directory traversal via rewritten URLs where request URIs are normalized *before* being decoded. This allows an attacker to manipulate request URIs to bypass security mechanisms protecting sensitive directories like `/WEB-INF/` and `/META-INF/`. If PUT requests are active, this can lead to the upload of malicious files and subsequent Remote Code Execution (RCE).
### CVE-2025-55754 (Console Manipulation Through Log Injection)
This vulnerability allows an attacker to inject ANSI escape sequences into log messages generated by Tomcat when running in a console environment (notably on Windows). This can alter the console's appearance, manipulate the clipboard contents, or potentially trick administrators into executing unintended commands.
## Exploitation
### CVE-2025-55752
- Status: Not explicitly stated as exploited in the wild, but described as "more serious."
- Complexity: Potentially **Medium** (requires specific configuration like PUT enabled).
- Attack Vector: Network.
### CVE-2025-55754
- Status: Not explicitly stated as exploited in the wild, but noted as a risk.
- Complexity: Not explicitly rated, but likely involves crafting specific URLs.
- Attack Vector: Network.
## Impact
### CVE-2025-55752
- Confidentiality: High (Potential RCE allows full system access).
- Integrity: High (Potential RCE allows arbitrary modification/upload).
- Availability: High (Potential denial of service via RCE).
### CVE-2025-55754
- Confidentiality: Low (Primarily impacts administrative view/trust).
- Integrity: Low (Potential to trick admins into running commands).
- Availability: Low.
## Remediation
### Patches
Administrators must upgrade to the following versions or newer:
- **Tomcat 11.0.11**
- **Tomcat 10.1.45**
- **Tomcat 9.0.109**
### Workarounds
1. **Disable or strictly restrict HTTP PUT requests** on affected servers to mitigate the highest risk associated with CVE-2025-55752.
2. Review server logging and console configurations, especially on Windows systems, to reduce exposure to CVE-2025-55754.
## Detection
- Monitor for suspicious activity, particularly **unexpected file uploads** (related to CVE-2025-55752).
- Review Tomcat log entries for the presence of **unusual ANSI escape sequences** (related to CVE-2025-55754).
- Monitor the console output for abnormal behavior or visual corruption, especially on Windows hosts running Tomcat directly in the console.
## References
- Vendor Advisory Published: October 27, 2025 (Apache Software Foundation)