EXECUTIVE SUMMARY:
Apache Tomcat, addressing three vulnerabilities— CVE-2025-55752, CVE-2025-55754, and CVE-2025-61795 — affecting versions of Tomcat 9, 10, and 11.
- CVE-2025-55752: stems from a regression in the URL-rewrite component: when query parameters are rewritten into path segments and normalization occurs before decoding, it becomes possible to bypass protections around /WEB-INF/ and /META-INF/. In configurations where HTTP PUT is enabled and files can be written; this may lead to remote code execution. The affected versions include Tomcat 11.0.0-M1 through 11.0.10; 10.1.0-M1 through 10.1.44; and 9.0.0.M11 through 9.0.108. The vendor fixed this vulnerability in versions 11.0.11, 10.1.45, and 9.0.109. While a formal CVSSv3 score was not clearly published, the issue is rated “Important/High” due to bypass and potential RCE risk. It carries a CVSS base score of 7.5.
- CVE-2025-55754: involves ANSI escape sequence injection in console logs on Windows systems. Because Tomcat’s logging did not sanitize incoming data for ANSI escape codes, a crafted URL could cause ANSI sequences to appear in the Windows console, potentially misleading administrators or enabling clipboard injection via visual trickery. Affected versions include 11.0.0-M1 through 11.0.10; 10.1.0-M1 through 10.1.44; and 9.0.0.40 through 9.0.108. It carries a CVSS base score of 9.6.
- CVE-2025-61795: addresses a resource-management flaw in multipart upload handling: when Tomcat writes temporary upload parts to disk and encounters errors (such as oversized files), it did not always clean up temporary files promptly, potentially allowing disk exhaustion and denial-of-service in high-upload environments. The affected versions span 11.0.0-M1 through 11.0.11; 10.1.0-M1 through 10.1.46; and 9.0.0.M1 through 9.0.109. It carries a CVSS base score of 5.3.
RECOMMENDATION:
We strongly recommend you update Apache Tomcat to version 11.0.12, 10.1.47, or 9.0.110.
REFERENCES:
The following reports contain further technical details:
