What is the CVSS score of CVE-2025-55754?

CVE-2025-55754 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Apache Tomcat are affected by CVE-2025-55754?

Apache Tomcat versions 9.0.40-9.0.108, 10.1.0-M1-10.1.44, and 11.0.0-M1-11.0.10 contain a critical ANSI escape sequence injection vulnerability that allows attackers to manipulate console output and…. A patch is available.

How to fix or mitigate CVE-2025-55754?

Within 24 hours: Identify all Tomcat instances in your environment using affected versions (9.0.40-9.0.108, 10.1.0-M1-10.1.44, 11.0.0-M1-11.0.10) and document their Windows deployment status. Within 7 days: Implement interim mitigations (see compensating controls) for production systems; disable console logging where feasible and restrict administrator access to live log streams. Within 30 days: Monitor Apache Tomcat security advisories for patch release; plan upgrade to patched version immediately upon availability.

Apache Tomcat CVE-2025-55754

CRITICAL

Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)

2025-10-27 security@apache.org

Apache Microsoft Code Injection Red Hat Tomcat Suse

9.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 12, 2026 - 13:32 vuln.today

CVE Published

Oct 27, 2025 - 18:15 nvd

CRITICAL 9.6

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (2 direct, 0 indirect)
2 maven packages depend on org.apache.tomcat:tomcat-catalina (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 11.0.0-M1 and other introduced versions.

DescriptionNVD

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.

Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.

The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

AnalysisAI

ANSI escape sequence injection in Apache Tomcat log messages enables console manipulation and social engineering attacks against administrators on Windows systems. Attackers can craft malicious URLs that inject escape sequences into Tomcat logs, potentially manipulating console output and clipboard contents to trick administrators into executing attacker-controlled commands. This affects Tomcat 9.0.40-9.0.108, 10.1.0-M1-10.1.44, and 11.0.0-M1-11.0.10, with highest risk when Tomcat runs in ANSI-capable Windows consoles. Despite the 9.6 CVSS score, real-world risk is lower as exploitation requires user interaction (administrator viewing logs in console), scope change indicating console compromise beyond Tomcat process, and specific Windows deployment configuration. No active exploitation confirmed (not in CISA KEV), and EPSS data not available at time of analysis.

Technical ContextAI

CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences) represents a failure to sanitize control characters that affect output rendering. ANSI escape sequences are special character combinations (e.g., ESC[...m for colors, ESC]...BEL for clipboard operations) interpreted by terminal emulators to control cursor position, colors, and in some cases system clipboard. Apache Tomcat's logging subsystem failed to escape these sequences in log output, allowing attacker-controlled data from HTTP requests (URLs, headers) to pass through to log files unfiltered. When administrators view these logs in ANSI-capable Windows consoles (Command Prompt with VT sequences enabled in Windows 10+, or terminals like Windows Terminal), the escape sequences execute, enabling text manipulation, fake error messages, or clipboard injection. The vulnerability exists in Tomcat's core logging mechanism affecting all three CPE-identified product lines: Tomcat 9.x (cpe:2.3:a:apache:tomcat 9.0.40-9.0.108), 10.x (10.1.0-M1-10.1.44), and 11.x (11.0.0-M1-11.0.10), plus EOL 8.5.60-8.5.100.

RemediationAI

Upgrade to vendor-released patched versions: Apache Tomcat 11.0.11 or later for 11.x deployments, 10.1.45 or later for 10.x deployments, or 9.0.109 or later for 9.x deployments, as specified in the Apache advisory at https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd. These versions implement proper ANSI escape sequence sanitization in log output. For systems running EOL versions 8.5.x or older that cannot be upgraded, implement compensating controls: configure Tomcat to run as a Windows service rather than in an interactive console, use log aggregation tools that don't interpret ANSI sequences (Splunk, ELK, plaintext editors), disable VT sequence processing in Windows console properties, or restrict administrator log access to remote viewing methods. Note that running as a service is standard production practice and eliminates console-based exploitation vectors entirely, though log file injection persists and could affect other tools. Organizations using Siemens products should consult https://cert-portal.siemens.com/productcert/html/ssa-032379.html for product-specific guidance. No configuration-based workaround eliminates the vulnerability without upgrading.