CVE-2025-55754 is a critical vulnerability in Apache Tomcat with a CVSS score of 9.6. This vulnerability allows improper neutralization of escape, meta, or control sequences. Specifically, Apache Tomcat does not escape ANSI escape sequences in log messages. If Tomcat is running in a console on a Windows operating system that supports ANSI escape sequences, an attacker could potentially inject ANSI escape sequences via a specially crafted URL. This can manipulate the console and clipboard, tricking an administrator into executing an attacker-controlled command.
While no specific attack vector has been confirmed, there is potential for similar attacks on other operating systems as well. The vulnerability impacts several versions of Apache Tomcat, specifically from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, and from 9.0.40 through 9.0.108. Additionally, end-of-life versions from 8.5.60 through 8.5.100 are also affected. Users are advised to upgrade to version 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later, which contains fixes for this issue.
Organizations should prioritize patching immediately. The severity of this vulnerability means that if exploited, it could lead to significant breaches of security, making it essential for organizations using affected versions of Apache Tomcat to take action without delay.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)