CVE-2025-55754
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2025-11-14

Assigner: Apache Software Foundation

Description
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2025-11-14
Generated
2026-05-07
AI Q&A
2025-10-27
EPSS Evaluated
2026-05-05
NVD
CVE-2025-55754
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
apache tomcat From 8.5.60 (inc) to 8.5.100 (inc)
apache tomcat From 9.0.40 (inc) to 9.0.109 (exc)
apache tomcat From 10.0.0 (inc) to 10.0.27 (exc)
apache tomcat From 10.1.0 (inc) to 10.1.45 (exc)
apache tomcat From 11.0.0 (inc) to 11.0.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-150 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Apache Tomcat involves improper neutralization of ANSI escape sequences in log messages. When Tomcat runs in a Windows console that supports ANSI escape sequences, an attacker could craft a URL that injects these sequences into the console logs. This could allow the attacker to manipulate the console display and clipboard, potentially tricking an administrator into executing commands controlled by the attacker. Although no attack vector was confirmed, the vulnerability might also affect other operating systems.


How can this vulnerability impact me? :

If exploited, this vulnerability could allow an attacker to manipulate the console output and clipboard of an administrator monitoring Apache Tomcat logs. This manipulation could be used to deceive the administrator into running malicious commands, potentially leading to unauthorized system control or compromise.


What immediate steps should I take to mitigate this vulnerability?

Users are recommended to upgrade Apache Tomcat to version 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later, which fix the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart