CVE-2025-55754
ANSI escape sequences vulnerability in tomcat (Maven)
What is CVE-2025-55754 About?
This vulnerability allows for the injection of ANSI escape sequences into log messages if Tomcat is running in a Windows console that supports them. This could enable an attacker to manipulate the console, clipboard, and potentially trick an administrator into executing malicious commands. While direct attack vectors were not confirmed, the vulnerability is moderately difficult to exploit as it relies on specific console configurations and user interaction.
Affected Software
- org.apache.tomcat:tomcat
- >10.1.0-M1, <10.1.45
- >9.0.0.40, <9.0.109
- >8.5.60, <=8.5.100
- >11.0.0-M1, <11.0.11
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.45
- >9.0.0.40, <9.0.109
- >8.5.60, <=8.5.100
- >11.0.0-M1, <11.0.11
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.45
- >9.0.0.40, <9.0.109
- >8.5.60, <=8.5.100
- >11.0.0-M1, <11.0.11
Technical Details
The vulnerability stems from Apache Tomcat not properly escaping ANSI escape sequences present in log messages. When Tomcat operates on a Windows system with a console supporting ANSI escape sequences, a specially crafted URL can be used by an attacker to inject these sequences into the logs. These injected sequences can then be interpreted by the console to perform actions such as manipulating cursor position, altering text colors, clearing the screen, or even interacting with the clipboard. The attack vector relies on an administrator viewing the manipulated logs in the affected console, potentially leading to a social engineering attack where the administrator is prompted or tricked into executing a command controlled by the attacker.
What is the Impact of CVE-2025-55754?
Successful exploitation may allow attackers to manipulate console output, alter clipboard contents, and potentially facilitate social engineering attacks by tricking administrators into executing arbitrary commands, leading to unauthorized system access or data compromise.
What is the Exploitability of CVE-2025-55754?
Exploitation of this vulnerability is complex and requires specific conditions to be met. It is typically a remote attack, as an attacker would craft a malicious URL to inject sequences. No authentication is strictly required to inject the sequences into logs, but a privileged user (administrator) would need to view and interact with the compromised console for the attack to succeed. The target environment must be a Windows operating system with a console that supports ANSI escape sequences. The likelihood of successful exploitation increases if administrators frequently monitor Tomcat logs directly within an affected console and are susceptible to social engineering tactics.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-55754?
About the Fix from Resolved Security
Available Upgrade Options
- org.apache.tomcat:tomcat
- >9.0.0.40, <9.0.109 → Upgrade to 9.0.109
- org.apache.tomcat:tomcat
- >10.1.0-M1, <10.1.45 → Upgrade to 10.1.45
- org.apache.tomcat:tomcat
- >11.0.0-M1, <11.0.11 → Upgrade to 11.0.11
- org.apache.tomcat:tomcat-catalina
- >9.0.0.40, <9.0.109 → Upgrade to 9.0.109
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.45 → Upgrade to 10.1.45
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.11 → Upgrade to 11.0.11
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.40, <9.0.109 → Upgrade to 9.0.109
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.45 → Upgrade to 10.1.45
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.11 → Upgrade to 11.0.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat/commit/a03cabf3a36a42d27d8d997ed31f034f50ba6cd5
- https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd
- https://osv.dev/vulnerability/GHSA-vfww-5hm6-hx2j
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11
- https://nvd.nist.gov/vuln/detail/CVE-2025-55754
- https://github.com/apache/tomcat/commit/5a3db092982c0c58d4855304167ee757fe5e79bb
- https://github.com/apache/tomcat/commit/138d7f5cfaae683078948303333c080e6faa75d2
- https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd
- https://github.com/apache/tomcat
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109
What are Similar Vulnerabilities to CVE-2025-55754?
Similar Vulnerabilities: CVE-2021-42340 , CVE-2020-13936 , CVE-2020-1945 , CVE-2018-8037 , CVE-2017-12616
