Primary

Context

Apache Tomcat Console Manipulation Vulnerability via Unescaped ANSI Escape Sequences

Vulnerability

Patched

A vulnerability exists in Apache Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.40 through 9.0.108, as well as older, end-of-life versions. The issue arises from Tomcat's failure to properly escape ANSI escape sequences in log messages. When running in a console on Windows that supports these sequences, an attacker could inject escape sequences through a crafted URL. This injection could manipulate the console and clipboard, potentially tricking an administrator into executing a command controlled by the attacker.

Impact

Exploitation could lead to unauthorized manipulation of the console and clipboard, with the possibility of tricking an administrator into executing an attacker-controlled command.

Remediation

Users are advised to upgrade to Apache Tomcat 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later.

Added: Oct 27, 2025, 6:19 PM

Updated: Oct 27, 2025, 6:19 PM

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

3.5

exploitability

7.6

remediation

7.9

relevance

0.8

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

3.5

exploitability

7.6

remediation

7.9

relevance

0.8

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Tomcat Console Manipulation Vulnerability via Unescaped ANSI Escape Sequences

Vulnerability

Impact

Remediation

Affected Products

Apache Tomcat

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating