Apache Tomcat Patches for URL Rewrite Bypass and Console Injection Vulnerabilities
Apache Tomcat released security updates addressing two critical vulnerabilities: a URL rewrite bypass (CVE-2025-55752) that could allow directory traversal and potential remote code execution (RCE) if the HTTP PUT method is enabled, and a console ANSI injection flaw (CVE-2025-55754) that could enable manipulation of log messages via escape sequences. The affected versions include Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.M11 to 9.0.108, with users and administrators urged to apply the necessary patches immediately to mitigate risk.
The URL rewrite bypass vulnerability allows attackers to craft malicious requests that evade security controls, potentially leading to unauthorized file access or code execution on vulnerable servers. The console ANSI injection issue could be exploited to alter log output, possibly obscuring malicious activity or facilitating further attacks. Security advisories from both Apache and national cybersecurity authorities emphasize the importance of prompt remediation to prevent exploitation in the wild.
Timeline
Oct 27, 2025
Apache releases Tomcat advisories for CVE-2025-55752 and CVE-2025-55754
On 2025-10-27, Apache published security advisories for multiple Apache Tomcat versions covering CVE-2025-55752, a rewrite-based directory traversal issue that could lead to RCE if PUT is enabled, and CVE-2025-55754, a console escape-sequence injection flaw in log messages. The advisories instructed users and administrators to review affected versions and apply updates.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Multiple Recent Vulnerabilities in Apache Tomcat
Two significant vulnerabilities have been identified in Apache Tomcat, each with distinct attack vectors and impacts. CVE-2025-61795 is an improper resource shutdown or release vulnerability that can lead to a denial-of-service (DoS) condition if temporary files from multipart uploads are not cleaned up promptly, potentially exhausting disk space and exposing sensitive data. This issue affects Tomcat versions 11.0.0-M1 through 11.0.11, 10.1.0-M1 through 10.1.46, 9.0.0.M1 through 9.0.109, and several end-of-life versions, with patches available in 11.0.12, 10.1.47, and 9.0.110 and later. CVE-2025-55752 is a relative path traversal vulnerability introduced by a regression in the fix for a previous bug, allowing attackers to bypass security constraints and potentially upload malicious files if specific, non-default configurations are present. This vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108, and certain EOL versions, with fixes in 11.0.11, 10.1.45, and 9.0.109 and later. Both vulnerabilities require prompt attention from administrators, especially those running affected Tomcat versions. The DoS vulnerability (CVE-2025-61795) can be exploited by attackers to exhaust server resources, while the path traversal flaw (CVE-2025-55752) could lead to remote code execution under specific conditions. Organizations are advised to upgrade to the latest patched versions to mitigate these risks and review their Tomcat configurations to ensure that non-default features such as HTTP PUT requests and URL rewriting are not unnecessarily enabled.
1 months ago
Apache Tomcat OCSP Validation Flaws Let CLIENT_CERT Authentication Fail Open
Apache disclosed two moderate-severity vulnerabilities, **CVE-2026-29145** and **CVE-2026-34500**, affecting **Apache Tomcat** and, in one case, **Apache Tomcat Native**, where OCSP-based certificate validation can sometimes **soft-fail even when soft-fail is disabled**. In affected deployments using `CLIENT_CERT` authentication, this can cause certificate checks not to fail as expected, potentially allowing authentication to proceed under conditions that should have been rejected. The first flaw impacts Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M7 through 10.1.52, and 9.0.83 through 9.0.115, as well as Tomcat Native 1.1.23 through 1.1.34, 1.2.0 through 1.2.39, 1.3.0 through 1.3.6, and 2.0.0 through 2.0.13; Tomcat through 8.5.100 was listed as unaffected. Apache said the second flaw, **CVE-2026-34500**, affects OCSP checking with **FFM** and extends to Tomcat 11.0.0-M14 through 11.0.20, 10.1.22 through 10.1.53, and 9.0.92 through 9.0.116. The project urged users to upgrade to fixed releases: for **CVE-2026-29145**, Tomcat 11.0.20, 10.1.53, or 9.0.116 and Tomcat Native 1.3.7 or 2.0.14; for **CVE-2026-34500**, Tomcat 11.0.21, 10.1.54, or 9.0.117. Apache credited **gregk4sec** with reporting CVE-2026-29145 and **Haruki Oyama of Waseda University** with reporting CVE-2026-34500.
3 weeks ago
Multiple Vulnerabilities Disclosed in Apache Traffic Server and Apache Tomcat
German authorities published security advisories for **Apache Traffic Server** and **Apache Tomcat/Tomcat Native**, warning of multiple vulnerabilities affecting the widely used web proxy, caching, and Java application server products. The notices identify separate issues in the two Apache projects, indicating that organizations running these technologies should review vendor guidance and determine whether exposed internet-facing services or internal application platforms are affected. The advisories provide limited public detail, but the affected software is commonly deployed in enterprise web delivery and application environments, raising the risk of service disruption, unauthorized access, or further compromise if vulnerable instances remain unpatched. Security teams are expected to prioritize asset identification, apply available updates from the Apache projects and downstream vendors, and monitor systems using **Apache Traffic Server**, **Apache Tomcat**, and **Tomcat Native** for signs of exploitation or abnormal activity.
3 weeks ago