CVE-2025-55754

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.60 through 8.5.100 Apache Tomcat versions 9.0.40 through 9.0.108 Apache Tomcat versions 10.1.0-M1 through 10.1.44 Apache Tomcat versions 11.0.0-M1 through 11.0.10

Description Tomcat did not properly handle ANSI escape sequences within log messages. When running on a Windows console that supports these sequences, an attacker could potentially inject specially crafted ANSI escape sequences via a URL. This could allow manipulation of the console and clipboard, potentially tricking an administrator into executing attacker-controlled commands. While a specific attack vector was not identified, the possibility of exploitation on other operating systems was noted. The issue involves improper neutralization of escape, meta, or control sequences.

Recommendations Upgrade to Apache Tomcat version 11.0.11 or later. Upgrade to Apache Tomcat version 10.1.45 or later. Upgrade to Apache Tomcat version 9.0.109 or later.