New Security Flaws Identified in Apache Tomcat
On October 27, 2025, the Apache Software Foundation issued a warning regarding two significant security vulnerabilities in Apache Tomcat, specifically designed for versions 9, 10, and 11. System administrators are urged to take swift action to mitigate risks associated with these flaws, documented as CVE-2025-55752 and CVE-2025-55754.
Vulnerability Details: CVE-2025-55752
The more critical vulnerability, CVE-2025-55752, has been classified with an “Important” severity rating. This flaw originated from a regression related to a previously addressed bug (bug 60013) and allows for directory traversal via rewritten URLs. Attackers can manipulate request URIs, which are normalized prior to decoding.
This behavior can lead to the circumvention of security measures protecting sensitive directories such as /WEB-INF/ and /META-INF/. If HTTP PUT requests are enabled on the server, the risk intensifies, enabling potential remote code execution (RCE) as attackers could upload malicious files.
Risk Assessment
Despite the severity of this attack vector, security experts indicate that the likelihood of exploitation in standard production environments might be lower, primarily because HTTP PUT requests are generally restricted to trusted users.
Affected Apache Tomcat Versions
The CVE-2025-55752 vulnerability affects the following versions of Apache Tomcat:
- 11.0.0-M1 to 11.0.10
- 10.1.0-M1 to 10.1.44
- 9.0.0.M11 to 9.0.108
Older, end-of-life (EOL) versions may also be vulnerable.
Recommended Mitigation Actions
To mitigate this threat, administrators should upgrade to:
- Apache Tomcat 11.0.11
- Apache Tomcat 10.1.45
- Apache Tomcat 9.0.109 or higher
These updates include necessary patches to rectify the vulnerability.
The discovery of this issue is credited to Chumy Tsai of CyCraft Technology.
Vulnerability Details: CVE-2025-55754
The second vulnerability, CVE-2025-55754, holds a “Low” severity rating but remains a significant concern. This flaw allows console manipulation through ANSI escape sequences in log messages, particularly when Tomcat is running in a console environment—most notably on Windows platforms that support these sequences.
Attackers can craft specific URLs that, upon being logged by Tomcat, inject escape sequences into console outputs. This manipulation can alter the console’s appearance or clipboard contents and may trick administrators into executing unintended commands. While this vulnerability is predominantly observed on Windows systems, caution is advised as similar tactics could be applicable to other platforms.
Affected Versions for CVE-2025-55754
The same version ranges that apply to CVE-2025-55752 are also affected by CVE-2025-55754:
- 11.0.0-M1 to 11.0.10
- 10.1.0-M1 to 10.1.44
- 9.0.40 to 9.0.108
Action Steps for System Administrators
To protect against these vulnerabilities, system administrators should take the following steps:
- Identify Affected Deployments: Check installed versions against the provided lists of vulnerable ranges.
- Restrict HTTP PUT Requests: Disable or limit HTTP PUT requests if they are not essential, as this is critical to preventing exploitation of CVE-2025-55752.
- Update Software: Ensure systems are updated to the latest versions: Tomcat 11.0.11, 10.1.45, or 9.0.109, which address both vulnerabilities.
- Review Console Configurations: Especially on Windows systems, review logging and console settings to reduce risks associated with CVE-2025-55754.
- Monitor System Activity: Keep a close eye on system logs for any unusual behavior, including unexpected uploads or erratic console actions.
The advisory from the Apache Software Foundation emphasizes the urgency of these updates and the necessity of thorough monitoring to maintain secure operations in environments using Apache Tomcat.
