CVE-2025-55754

CVSS v3.1

9.6

Critical

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.60 through 8.5.100 Apache Tomcat versions 9.0.40 through 9.0.108 Apache Tomcat versions 10.1.0-M1 through 10.1.44 Apache Tomcat versions 11.0.0-M1 through 11.0.10

Description Tomcat did not properly handle ANSI escape sequences within log messages. When running on a Windows console that supports these sequences, an attacker could potentially inject specially crafted ANSI escape sequences via a URL. This could allow manipulation of the console and clipboard, potentially tricking an administrator into executing attacker-controlled commands. While a specific attack vector was not identified, the possibility of exploitation on other operating systems was noted. The issue involves improper neutralization of escape, meta, or control sequences.

Recommendations Upgrade to Apache Tomcat version 11.0.11 or later. Upgrade to Apache Tomcat version 10.1.45 or later. Upgrade to Apache Tomcat version 9.0.109 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-150

Related Identifiers

ALT-PU-2025-13135

ALT-PU-2025-14452

BDU:2025-13927

BIT-TOMCAT-2025-55754

CVE-2025-55754

GHSA-VFWW-5HM6-HX2J

MGASA-2025-0250

OESA-2025-2559

OESA-2025-2560

OESA-2025-2561

OESA-2025-2562

OESA-2025-2563

OESA-2025-2630

OPENSUSE-SU-2025:15716-1

OPENSUSE-SU-2025:15717-1

OPENSUSE-SU-2025:15718-1

OPENSUSE-SU-2025:20106-1

OPENSUSE-SU-2026:20034-1

OPENSUSE-SU-2026:20444-1

RHSA-2026:2740

SUSE-SU-2025:21152-1

SUSE-SU-2025:4086-1

SUSE-SU-2025:4103-1

SUSE-SU-2025:4159-1

SUSE-SU-2025:4184-1

SUSE-SU-2026:1058-1

SUSE-SU-2026:20084-1

SUSE-SU-2026:20982-1

Affected Products

Alt Linux

Apache Tomcat

Debian

Red Os

Suse

CVE-2025-55754

Weakness Enumeration

Related Identifiers

Affected Products

References · 149