SB2025102748 - Two vulnerabilities in Apache Tomcat
Published: October 27, 2025 Updated: October 31, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper Output Neutralization for Logs (CVE-ID: CVE-2025-55754)
The vulnerability allows a remote attacker to execute arbitrary OS commands.
The vulnerability exists due to improper input validation of ANSI escape sequences in log messages. A remote attacker can use a crafted URL to inject ANSI escape sequences to manipulate the console and the clip-boardand potentially execute arbitrary code.
The vulnerability affects Windows installations only.
2) Path traversal (CVE-ID: CVE-2025-55752)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error when processing directory traversal sequences passed via Rewrite Valve. A remote attacker can send a specially crafted HTTP PUT request and write arbitrary files to the server, leading to remote code execution.
Remediation
Install update from vendor's website.
References
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45
- https://lists.apache.org/thread/opg9mrgd64717nkwrkv8yszwzvzjlhqx
- https://lists.apache.org/thread/2fbxt6dpjnpvgn4mkxt6mzvkhnno1yy9