Critical Apache Tomcat Vulnerabilities Expose Servers to Remote Code Execution
Article Text:
The Apache Software Foundation has recently disclosed two significant vulnerabilities in Apache Tomcat, a widely utilized open-source Java servlet container that underpins numerous web applications. These vulnerabilities, identified as CVE-2025-55752 and CVE-2025-55754, were announced on October 27, 2025, and affect multiple versions of Tomcat. The first vulnerability poses a risk of remote code execution (RCE) under specific configurations, while the second allows potential console manipulation, highlighting the urgent need for immediate patching in enterprise environments.
Directory Traversal Flaw Enables Remote Code Execution
The more severe of the two vulnerabilities, CVE-2025-55752, involves a directory traversal flaw introduced during the resolution of a previous issue (bug 60013). In this regression, rewritten URLs are normalized before decoding, enabling attackers to manipulate query parameters and bypass protections for sensitive directories such as `/WEB-INF/` and `/META-INF/`. If PUT requests are enabled—a configuration typically restricted to trusted users—malicious files can be uploaded, potentially leading to remote code execution. This flaw was discovered by Chumy Tsai of CyCraft Technology and is rated as having Important severity, emphasizing its potential impact on unpatched systems running Tomcat in production environments.
Console Manipulation Through Log Escapes
The second vulnerability, CVE-2025-55754, addresses improper neutralization of ANSI escape sequences in Tomcat’s log messages. On Windows systems with consoles that support ANSI sequences, attackers could craft URLs to inject sequences that manipulate the console display, clipboard, or even trick administrators into executing commands. Although no direct attack vector was identified for other operating systems, the potential for social engineering remains a concern. This flaw, identified by Elysee Franchuk of MOBIA Technology Innovations, is rated as having Low severity but could be exploited in conjunction with other vulnerabilities to amplify threats in console-monitored setups.
Mitigation Measures
To address these vulnerabilities, Apache urges users to upgrade to the following mitigated versions:
– Apache Tomcat 11.0.11
– Apache Tomcat 10.1.45
– Apache Tomcat 9.0.109
These versions include enhanced URL handling and log escaping to prevent exploitation of the identified flaws. Organizations should also audit their configurations, particularly those enabling PUT requests alongside URL rewrites, to prevent potential RCE chains. Given Tomcat’s widespread use in Java-based applications, prompt action is essential to maintain the security and integrity of affected systems.
