CVE-2025-55754 [Critical] | Security Vulnerability in Tomcat

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-05-29	0.18%	0.14%	-0.05%
2	2026-05-28	0.06%	0.18%	+0.13%
3	2025-11-15	—	0.06%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-05-29

0.18%

0.14%

-0.05%

2026-05-28

0.06%

0.18%

+0.13%

2025-11-15

—

0.06%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.6	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	2.8	6.0	134c704f-9b21-4f2e-91b3-4a467353bcc0

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.6

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

2.8

6.0

134c704f-9b21-4f2e-91b3-4a467353bcc0

OS Trackers for CVE-2025-55754

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2025-55754 not yet assigned priority: Debian including 3 source packages (tomcat10, tomcat11, tomcat9), 12 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 12.	https://security-tracker.debian.org/tracker/CVE-2025-55754
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2025-55754
`suse`	medium	CVE-2025-55754 severity moderate: SUSE including 364 source package names (2.2.0-4.48:libaugeas0-1.14.1-slfo.1.1_2.1, 2.2.0-4.48:libfa1-1.14.1-slfo.1.1_2.1, …), 746 product×package rows across 73 product lines (Container suse/manager/5.0/x86_64/server, Container suse/multi-linux-manager/5.1/x86_64/server, … (73 product lines)): Fixed 482, Known Affected 231, First Fixed 33.	https://www.suse.com/security/cve/CVE-2025-55754/
`ubuntu`	medium	CVE-2025-55754 medium priority: Ubuntu including 6 source packages (tomcat10, tomcat11, tomcat6, tomcat7, tomcat8, tomcat9), 41 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 18, ignored 11, needs-triage 6, not-affected 3, released 3.	https://ubuntu.com/security/CVE-2025-55754

Affected software / configurations for CVE-2025-55754

Vendor	Product	Version	Raw CPE
apache	tomcat	>= 8.5.60, <= 8.5.100	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 9.0.40, < 9.0.109	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 10.0.0, < 10.0.27	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 10.1.0, < 10.1.45	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 11.0.0, < 11.0.11	cpe:2.3:a:apache:tomcat::::::::

References for CVE-2025-55754

URL	Tags
https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/10/27/5	Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-032379.html

URL

CVE-2025-55754 | Apache Tomcat: console manipulation via escape sequences in log messages

Exploit prediction scoring system (EPSS) score for CVE-2025-55754

Common vulnerability scoring system (CVSS) metrics for CVE-2025-55754

Weakness enumeration for CVE-2025-55754

GitHub Security Advisory for CVE-2025-55754

OS Trackers for CVE-2025-55754

Affected software / configurations for CVE-2025-55754

References for CVE-2025-55754