CVE-2025-55754 Apache Tomcat - Console manipulation via escape sequences
in log messages
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.10
Apache Tomcat 10.1.0-M1 to 10.1.44
Apache Tomcat 9.0.0.40 to 9.0.108
Older, EOL versions may also be affected
Description:
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat
was running in a console on a Windows operating system, and the console
supported ANSI escape sequences, it was possible for an attacker to use
a specially crafted URL to inject ANSI escape sequences to manipulate
the console and the clipboard and attempt to trick an administrator into
running an attacker controlled command. While no attack vector was
found, it may have been possible to mount this attack on other operating
systems.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.11 or later
- Upgrade to Apache Tomcat 10.1.45 or later
- Upgrade to Apache Tomcat 9.0.109 or later
Credit:
Elysee Franchuk of MOBIA Technology Innovations
History:
2025-10-27 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
