关键信息 CVE编号: CVE-2025-55754 漏洞类型: Console manipulation via escape sequences in log messages 严重性: Low 厂商: The Apache Software Foundation 受影响版本: - Apache Tomcat 11.0.0-M1 to 11.0.10 - Apache Tomcat 10.1.0-M1 to 10.1.44 - Apache Tomcat 9.0.0.40 to 9.0.108 - Older, EOL versions may also be affected 描述: - Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. 缓解措施: - Upgrade to Apache Tomcat 11.0.11 or later - Upgrade to Apache Tomcat 10.1.45 or later - Upgrade to Apache Tomcat 9.0.109 or later 发现者: Elysee Franchuk of MOBIA Technology Innovations 历史: - 2025-10-27 Original advisory 参考链接: - [1] https://tomcat.apache.org/security-11.html - [2] https://tomcat.apache.org/security-10.html - [3] https://tomcat.apache.org/security-9.html