CVE-2025-55754

CVE-2025-55754 is an Improper Neutralization of Escape, Meta, or Control Sequences vulnerability (CWE-150) in Apache Tomcat, where the software fails to escape ANSI escape sequences in log messages. This affects Tomcat versions from 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.40 through 9.0.108; end-of-life versions 8.5.60 through 8.5.100 are also vulnerable, as may be older EOL releases. The issue has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), highlighting its critical potential impact.

An unauthenticated attacker over the network can exploit this by sending a specially crafted URL that injects ANSI escape sequences into Tomcat's log messages, provided the server runs in a console on Windows with ANSI support enabled. This allows manipulation of the console display and clipboard content, potentially tricking an administrator into executing an attacker-controlled command. While no specific attack vector was identified for other operating systems, the vulnerability may enable similar attacks there.

Apache advisories recommend upgrading to Tomcat 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later, which address the issue by properly escaping ANSI sequences in logs. Details are available in the official Apache security announcement at https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd and the oss-security mailing list post at http://www.openwall.com/lists/oss-security/2025/10/27/5.