Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 28 October 2025 06:52
Many web applications rely on Apache Tomcat, a widely used open-source Java servlet container. On October 27, 2025, Apache disclosed two vulnerabilities: CVE-2025-55752 and CVE-2025-55754, affecting several versions of Tomcat.
Affected versions include Apache Tomcat 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0-M11 through 9.0.108, with earlier end-of-life (EOL) versions also vulnerable.
The need for immediate patching in enterprise environments is underscored by the fact that the former can pose a risk of remote code execution (RCE) in certain configurations, while the latter offers the possibility of console manipulation .
The most severe vulnerability, CVE-2025-55752, involves a path traversal bug introduced in the fix for a previous bug (60013). Rewritten URLs are normalized before decoding, allowing attackers to manipulate query parameters and bypass protections for sensitive directories such as /WEB-INF/ and /META-INF/.
When PUT requests are enabled, a configuration typically limited to trusted users, malicious files can be uploaded, resulting in remote code execution. This vulnerability, identified by Chumy Tsai of CyCraft Technology, has been classified as extremely severe, highlighting its potential impact on unpatched systems running Tomcat in production environments.
In addition to the traversal issue, CVE-2025-55754 addresses a bug that improperly neutralizes ANSI escape sequences in Tomcat log messages. On Windows systems with ANSI-enabled consoles, attackers could craft URLs to inject sequences that manipulate the console display, clipboard, or even trick administrators into executing commands.
This flaw affects Tomcat versions 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.40 to 9.0.108, as well as select EOL versions such as 8.5.60 to 8.5.100.
Identified by Elysee Franchuk of MOBIA Technology Innovations, the issue stems from unescaped logs, which allow control sequences to influence terminal behavior without authentication.
Apache encourages users to upgrade to the mitigated versions: Tomcat 11.0.11, 10.1.45, or 9.0.109 and later, which address both vulnerabilities through improved URL handling and log escaping.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
Redazione