Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
320x100 Itcentric
970x120
Apache Tomcat Vulnerability: Update Now to Avoid Security Risks

Apache Tomcat Vulnerability: Update Now to Avoid Security Risks

Redazione RHC : 28 October 2025 06:52

Many web applications rely on Apache Tomcat, a widely used open-source Java servlet container. On October 27, 2025, Apache disclosed two vulnerabilities: CVE-2025-55752 and CVE-2025-55754, affecting several versions of Tomcat.

Affected versions include Apache Tomcat 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0-M11 through 9.0.108, with earlier end-of-life (EOL) versions also vulnerable.

The need for immediate patching in enterprise environments is underscored by the fact that the former can pose a risk of remote code execution (RCE) in certain configurations, while the latter offers the possibility of console manipulation .

The most severe vulnerability, CVE-2025-55752, involves a path traversal bug introduced in the fix for a previous bug (60013). Rewritten URLs are normalized before decoding, allowing attackers to manipulate query parameters and bypass protections for sensitive directories such as /WEB-INF/ and /META-INF/.

When PUT requests are enabled, a configuration typically limited to trusted users, malicious files can be uploaded, resulting in remote code execution. This vulnerability, identified by Chumy Tsai of CyCraft Technology, has been classified as extremely severe, highlighting its potential impact on unpatched systems running Tomcat in production environments.

In addition to the traversal issue, CVE-2025-55754 addresses a bug that improperly neutralizes ANSI escape sequences in Tomcat log messages. On Windows systems with ANSI-enabled consoles, attackers could craft URLs to inject sequences that manipulate the console display, clipboard, or even trick administrators into executing commands.

This flaw affects Tomcat versions 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.40 to 9.0.108, as well as select EOL versions such as 8.5.60 to 8.5.100.

Identified by Elysee Franchuk of MOBIA Technology Innovations, the issue stems from unescaped logs, which allow control sequences to influence terminal behavior without authentication.

Apache encourages users to upgrade to the mitigated versions: Tomcat 11.0.11, 10.1.45, or 9.0.109 and later, which address both vulnerabilities through improved URL handling and log escaping.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli