vulnerability
Apache Tomcat: Low: Console manipulation via escape sequences in log messages (CVE-2025-55754)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Oct 28, 2025 | Oct 28, 2025 | Oct 30, 2025 |
Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
Oct 28, 2025
Added
Oct 28, 2025
Modified
Oct 30, 2025
Description
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat
was running in a console on a Windows operating system, and the console
supported ANSI escape sequences, it was possible for an attacker to use a
specially crafted URL to inject ANSI escape sequences to manipulate the
console and the clipboard and attempt to trick an administrator into
running an attacker controlled command. While no attack vector was found,
it may have been possible to mount this attack on other operating
systems.
Solutions
apache-tomcat-upgrade-10_1_45apache-tomcat-upgrade-11_0_11apache-tomcat-upgrade-9_0_109
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.