Listen to this Post
The vulnerability exists because Tomcat does not properly escape ANSI escape sequences in log messages. When Tomcat is running in a console on a Windows OS that supports ANSI sequences, an attacker can craft a specific URL. This URL, when logged, injects ANSI escape sequences into the console. These sequences can manipulate the console output to hide or spoof text and can also control the clipboard. The goal is to perform a terminal deception attack, tricking an administrator who views the logs into copying and executing a malicious command that appears benign. While the primary vector is Windows, other OSes with supporting terminals could potentially be affected. The attack exploits the trust in log files and terminal output.
Platform: Apache Tomcat
Version: 8.5.60-8.5.100, 9.0.40-9.0.108, 10.1.0-10.1.44, 11.0.0-11.0.10
Vulnerability : Log ANSI Injection
Severity: Low
date: 2025-10-27
Prediction: 2025-11-10
What Undercode Say:
curl -H "User-Agent: \x1b[2JEvil-Command" http://vulnerable-tomcat:8080/app
grep -E "\x1b[" catalina.out
// Malicious payload in request String maliciousPayload = "\u001B[32mHello \u001B[44;33mAdmin\u001B[0m";
How Exploit:
Craft malicious HTTP requests containing ANSI escape sequences in headers, parameters, or URLs. When Tomcat logs these requests, the sequences are written raw to the console. An attacker uses sequences to hide the real command, reposition the cursor, or change clipboard content, creating a fake, safe-looking command for the admin to execute.
Protection from this CVE
Upgrade to Tomcat 11.0.11+, 10.1.45+, 9.0.109+. Disable ANSI processing in the terminal. Use log viewing tools that strip escape sequences. Avoid browsing logs directly in an advanced terminal.
Impact:
Terminal output manipulation, arbitrary command execution via social engineering, clipboard control. Low attack complexity but requires admin interaction.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
