The Apache Software Foundation has disclosed two critical security vulnerabilities affecting multiple versions of Apache Tomcat, with one flaw presenting a serious risk of remote code execution on vulnerable servers.
The flaws impact Apache Tomcat versions 9, 10, and 11, prompting urgent warnings for administrators to upgrade their installations immediately.
Critical Directory Traversal Flaw Enables RCE
The most severe vulnerability, tracked as CVE-2025-55752 and rated as “Important” severity, stems from a regression introduced while fixing a previous bug.
This directory traversal flaw allows attackers to manipulate request URIs through rewritten URLs that are normalized before being decoded.
The vulnerability specifically affects rewrite rules that manipulate query parameters, enabling attackers to bypass critical security constraints designed to protect sensitive directories like /WEB-INF/ and /META-INF/.
The real danger emerges when PUT requests are enabled on affected servers. In this scenario, attackers could exploit the directory traversal weakness to upload malicious files to the server, ultimately achieving remote code execution.
However, security experts note that PUT requests are typically restricted to trusted users, making the exploitation scenario less common in production environments.
The vulnerability was discovered by security researcher Chumy Tsai from CyCraft Technology and affects Apache Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0.M11 through 9.0.108.
The second vulnerability, CVE-2025-55754, carries a lower severity rating but still presents security concerns.
This flaw involves Apache Tomcat’s failure to properly escape ANSI escape sequences in log messages.
When Tomcat runs in a console environment on Windows systems that support ANSI escape sequences, attackers can craft specially designed URLs to inject malicious escape sequences into log outputs.
These injected sequences can manipulate the console display and clipboard contents, potentially tricking system administrators into executing attacker-controlled commands.
While primarily observed on Windows platforms, researchers warn that similar attack vectors might exist on other operating systems.
The vulnerability was identified by Elysee Franchuk of MOBIA Technology Innovations and affects similar version ranges across Apache Tomcat 9, 10, and 11 series.
Apache has released patched versions to address both vulnerabilities.
Organizations running affected Tomcat installations should immediately upgrade to version 11.0.11, 10.1.45, or 9.0.109, depending on their deployment.
The security updates were announced on October 27, 2025, and detailed mitigation guidance is available through Apache’s official security advisories for each affected version series.
| CVE ID | Vulnerability | Severity | CVSS Score | Affected Versions |
|---|---|---|---|---|
| CVE-2025-55752 | Directory traversal via rewrite with possible RCE if PUT is enabled | Important | N/A | 9.0.0-M11–9.0.108, 10.1.0-M1–10.1.44, 11.0.0-M1–11.0.10 |
| CVE-2025-55754 | Console manipulation via escape sequences in log messages | Low | N/A | 9.0.0-M11–9.0.108, 10.1.0-M1–10.1.44, 11.0.0-M1–11.0.10 |
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=The vulnerability, tracked as CVE-2025-55752, stems from a regression in the URL rewriting mechanism that failed to properly normalize.){kind=link}