CVE-2025-55754
Published: 27 October 2025
Summary
CVE-2025-55754 is a critical-severity Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150) vulnerability in Apache Tomcat. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the improper neutralization vulnerability in Apache Tomcat by upgrading to patched versions that properly escape ANSI sequences in log messages.
Filters control sequences like ANSI escape codes in log outputs to the console, preventing manipulation of display and clipboard by attacker-injected content.
Validates specially crafted URLs prior to processing and logging to block injection of malicious ANSI escape sequences into Tomcat logs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-55754 enables unauthenticated remote exploitation of the public-facing Apache Tomcat web server via crafted URLs injecting ANSI escape sequences into logs, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape…
more
sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Deeper analysisAI
CVE-2025-55754 is an Improper Neutralization of Escape, Meta, or Control Sequences vulnerability (CWE-150) in Apache Tomcat, where the software fails to escape ANSI escape sequences in log messages. This affects Tomcat versions from 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.40 through 9.0.108; end-of-life versions 8.5.60 through 8.5.100 are also vulnerable, as may be older EOL releases. The issue has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), highlighting its critical potential impact.
An unauthenticated attacker over the network can exploit this by sending a specially crafted URL that injects ANSI escape sequences into Tomcat's log messages, provided the server runs in a console on Windows with ANSI support enabled. This allows manipulation of the console display and clipboard content, potentially tricking an administrator into executing an attacker-controlled command. While no specific attack vector was identified for other operating systems, the vulnerability may enable similar attacks there.
Apache advisories recommend upgrading to Tomcat 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later, which address the issue by properly escaping ANSI sequences in logs. Details are available in the official Apache security announcement at https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd and the oss-security mailing list post at http://www.openwall.com/lists/oss-security/2025/10/27/5.
Details
- CWE(s)