The Apache Software Foundation has disclosed two new security vulnerabilities affecting multiple versions of Apache Tomcat, warning system administrators to take immediate action. The flaws, identified as CVE-2025-55752 and CVE-2025-55754, were officially announced on October 27, 2025, and impact Tomcat versions 9, 10, and 11.
CVE-2025-55752: Directory Traversal Leading to Remote Code Execution
The more serious of the two vulnerabilities, CVE-2025-55752, is classified as “Important” severity. It stems from a regression introduced during the fix for an earlier issue (bug 60013). The flaw enables directory traversal via rewritten URLs, allowing an attacker to manipulate request URIs that are normalized before being decoded.
This behavior can enable attackers to bypass Tomcat’s security mechanisms that protect sensitive directories such as /WEB-INF/ and /META-INF/. The situation becomes especially dangerous if HTTP PUT requests are enabled on the server. Under these conditions, an attacker could exploit the vulnerability to upload malicious files, potentially achieving remote code execution (RCE) on the host system.
Security experts note that while this attack vector is severe, exploitation is less likely in typical production environments since PUT requests are usually restricted to trusted users.
The vulnerability affects the following Apache Tomcat versions:
- 11.0.0-M1 through 11.0.10
- 10.1.0-M1 through 10.1.44
- 9.0.0.M11 through 9.0.108
Older, end-of-life (EOL) versions may also be at risk.
Mitigation: Administrators are advised to upgrade to Apache Tomcat 11.0.11, 10.1.45, or 9.0.109 or later. These patched versions resolve the issue.
The flaw was discovered by Chumy Tsai of CyCraft Technology, who was credited for reporting the vulnerability.
In the official advisory, Mark Thomas from the Apache Software Foundation explained that the issue resulted from a regression where “the rewritten URL was normalized before it was decoded.” This allowed attackers to manipulate query parameters in rewrite rules and bypass constraints protecting sensitive paths.
CVE-2025-55754: Console Manipulation Through Log Injection
The second flaw, CVE-2025-55754, has been rated as “Low” severity but still poses a notable risk. It allows console manipulation via ANSI escape sequences in log messages when Apache Tomcat is running in a console environment, most notably on Windows systems that support these sequences.
Attackers can craft special URLs that, when logged by Tomcat, inject escape sequences into the console output. These can alter the console’s appearance or clipboard contents and could trick administrators into executing unintended commands. Although primarily observed on Windows systems, researchers caution that similar attack patterns could occur on other platforms.
The issue affects the same version ranges as CVE-2025-55752:
- 11.0.0-M1 through 11.0.10
- 10.1.0-M1 through 10.1.44
- 9.0.40 through 9.0.108
Mitigation: Users should upgrade to Apache Tomcat 11.0.11, 10.1.45, or 9.0.109, which includes fixes for both vulnerabilities.
This vulnerability was discovered by Elysee Franchuk of MOBIA Technology Innovations, who was credited with the advisory.
Timeline and Official Advisory
The Apache Software Foundation published its security advisory on October 27, 2025, urging organizations to update their Tomcat installations without delay. The announcement outlined detailed mitigation steps and confirmed that both vulnerabilities were resolved in the latest stable releases of the affected branches.
Recommended Actions for Administrators
System administrators using Apache Tomcat are urged to:
- Identify affected deployments by checking installed versions against the vulnerable ranges.
- Disable or restrict HTTP PUT requests unless necessary, as this setting is key to potential exploitation of CVE-2025-55752.
- Apply the latest updates—Tomcat 11.0.11, 10.1.45, or 9.0.109—to address both vulnerabilities.
- Review logging and console configurations, especially on Windows systems, to mitigate risks associated with CVE-2025-55754.
- Monitor for suspicious activity, such as unexpected uploads, unusual log entries, or abnormal console behavior.
