Apache Tomcat security advisory (AV25-702)

Serial number: AV25-702
Date: October 28, 2025

On October 27, 2025, Apache published security advisories to address vulnerabilities in the following products:

• Apache Tomcat – versions 11.0.0-M1 to 11.0.10
• Apache Tomcat – versions 10.1.0-M1 to 10.1.44
• Apache Tomcat – versions 9.0.0.M11 to 9.0.108
• Apache Tomcat – versions 9.0.0.40 to 9.0.108
• Older, EOL versions may also be affected

The Cyber Centre is aware that a proof of concept (PoC) for vulnerability CVE-2025-55752 publicly exists.

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• [SECURITY] CVE-2025-55754 Apache Tomcat - Console manipulation via escape sequences in log messages
• [SECURITY] CVE-2025-55752 Apache Tomcat - Directory traversal via rewrite with possible RCE if PUT is enabled