Apache Tomcat Patches URL Rewrite Bypass (CVE-2025-55752) Risking RCE and Console ANSI Injection
Ddos 
The Apache Software Foundation has released multiple security patches for Apache Tomcat, addressing three newly disclosed vulnerabilities — CVE-2025-55752, CVE-2025-55754, and CVE-2025-61795 — affecting versions of Tomcat 9, 10, and 11. The most severe, CVE-2025-55752, could potentially lead to remote code execution (RCE) if specific conditions are met.
The most critical issue, CVE-2025-55752, arises from a regression in Tomcat’s URL rewrite handling. According to the advisory, “The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/.”
This flaw could allow attackers to bypass access controls and, under certain configurations, upload malicious files via HTTP PUT requests, leading to potential remote code execution.
However, Apache notes that exploitation is unlikely in standard configurations, since “PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.”
Affected versions include:
- Tomcat 11.0.0-M1 to 11.0.10
- Tomcat 10.1.0-M1 to 10.1.44
- Tomcat 9.0.0.M11 to 9.0.108
Users should upgrade to Tomcat 11.0.11, 10.1.45, or 9.0.109, where the issue has been fixed.
Another flaw, CVE-2025-55754, affects Tomcat instances running on Windows environments with consoles that support ANSI escape sequences.
The advisory explains, “Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command.”
While no direct attack vector was identified, Apache warned that similar manipulations “may have been possible to mount on other operating systems.”
Affected versions include:
- Tomcat 11.0.0-M1 to 11.0.10
- Tomcat 10.1.0-M1 to 10.1.44
- Tomcat 9.0.0.40 to 9.0.108
Users should upgrade to Tomcat 11.0.11, 10.1.45, or 9.0.109.
The third vulnerability, CVE-2025-61795, could cause a denial-of-service (DoS) condition during multipart file uploads.
If an error occurs — such as exceeding file size limits — temporary copies of uploaded files may not be deleted immediately. Apache states, “Temporary copies of the uploaded parts written to local storage were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.”
This flaw affects:
- Tomcat 11.0.0-M1 to 11.0.11
- Tomcat 10.1.0-M1 to 10.1.46
- Tomcat 9.0.0.M1 to 9.0.109
Users should upgrade to Tomcat 11.0.12, 10.1.47, or 9.0.110 to prevent this issue.
Donate