Common Weakness Enumeration

CWE-150

Allowed

Improper Neutralization of Escape, Meta, or Control Sequences

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

115 vulnerabilities reference this CWE, most recent first.

GHSA-MM6V-68QP-F9FW

Vulnerability from github – Published: 2025-01-15 22:04 – Updated: 2025-02-13 16:49
VLAI
Summary
Crayfish allows Remote Code Execution via Homarus Authorization header
Details

Impact

Remote code execution may be possible in web-accessible installations of Homarus in certain configurations.

Patches

The issue has been patched in islandora/crayfish:4.1.0

Workarounds

The exploit requires making a request against the Homarus's /convert endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus.

Configure auth in Crayfish to be more strongly required, such that requests with Authorization headers that do not validate are rejected before the problematic CLI interpolation occurs.

References

  • XBOW-024-071
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "islandora/crayfish"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150",
      "CWE-157"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-15T22:04:19Z",
    "nvd_published_at": "2025-02-13T01:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nRemote code execution may be possible in web-accessible installations of Homarus in certain configurations.\n\n### Patches\n\nThe issue has been patched in `islandora/crayfish:4.1.0`\n\n### Workarounds\n\nThe exploit requires making a request against the Homarus\u0027s `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus.\n\nConfigure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.\n\n### References\n\n- XBOW-024-071",
  "id": "GHSA-mm6v-68qp-f9fw",
  "modified": "2025-02-13T16:49:25Z",
  "published": "2025-01-15T22:04:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Islandora/Crayfish/security/advisories/GHSA-mm6v-68qp-f9fw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25286"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Islandora/Crayfish/commit/64cb4cec688928798cc40e6f0a0e863d7f69fd89"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Islandora/Crayfish"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Crayfish allows Remote Code Execution via Homarus Authorization header"
}

GHSA-MMFW-G245-WGX2

Vulnerability from github – Published: 2026-01-23 00:31 – Updated: 2026-01-23 00:31
VLAI
Details

Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-21521"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T23:15:57Z",
    "severity": "HIGH"
  },
  "details": "Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network.",
  "id": "GHSA-mmfw-g245-wgx2",
  "modified": "2026-01-23T00:31:17Z",
  "published": "2026-01-23T00:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21521"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21521"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P4VJ-7PQG-XHR6

Vulnerability from github – Published: 2026-07-08 15:32 – Updated: 2026-07-08 21:30
VLAI
Details

App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes.

When ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename.

A file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-49147"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-08T15:16:27Z",
    "severity": "HIGH"
  },
  "details": "App::Ack versions through 3.10.0 for Perl print unsanitised terminal escape sequences from filenames in several output modes.\n\nWhen ack prints a filename whose basename contains terminal control bytes such as ANSI escape sequences, those bytes reach the terminal unchanged. Version 3.10.0 added a _safe_filename helper that sanitises the filenames printed by -f, -g, the colored match heading, and per-match lines, but the --show-types, -l/-L, and -c paths still emit the raw filename.\n\nA file whose name embeds cursor-movement or color escapes can overwrite or recolor earlier terminal output, or be passed unchanged to a downstream consumer.",
  "id": "GHSA-p4vj-7pqg-xhr6",
  "modified": "2026-07-08T21:30:26Z",
  "published": "2026-07-08T15:32:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49147"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/PETDANCE/ack-v3.10.0/source/Changes"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/08/9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PQ9P-PC3P-9HM4

Vulnerability from github – Published: 2024-12-27 03:31 – Updated: 2025-02-07 06:31
VLAI
Summary
python-sql SQL injection vulnerability
Details

A vulnerability was found in python-sql where unary operators do not escape non-Expression (like And and Or) which makes any system exposing those vulnerable to an SQL injection attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-sql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-9774"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-27T18:02:41Z",
    "nvd_published_at": "2024-12-27T02:15:07Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in python-sql where unary operators do not escape non-Expression (like `And` and `Or`) which makes any system exposing those vulnerable to an SQL injection attack.",
  "id": "GHSA-pq9p-pc3p-9hm4",
  "modified": "2025-02-07T06:31:14Z",
  "published": "2024-12-27T03:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9774"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-9774"
    },
    {
      "type": "WEB",
      "url": "https://bugs.tryton.org/python-sql/93"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2332734"
    },
    {
      "type": "WEB",
      "url": "https://discuss.tryton.org/t/security-release-for-issue-93/7889"
    },
    {
      "type": "WEB",
      "url": "https://discuss.tryton.org/t/security-release-for-issue-93/7889/3"
    },
    {
      "type": "WEB",
      "url": "https://foss.heptapod.net/tryton/python-sql/-/commit/f20551bbb8b3b4c4dd0a2c3d36f377bff6f2f349"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tryton/python-sql"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00023.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "python-sql SQL injection vulnerability"
}

GHSA-PX7F-QJ7M-M4V6

Vulnerability from github – Published: 2024-03-27 21:30 – Updated: 2026-05-12 12:31
VLAI
Details

wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-28085"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-27T19:15:48Z",
    "severity": "LOW"
  },
  "details": "wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users\u0027 terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.",
  "id": "GHSA-px7f-qj7m-m4v6",
  "modified": "2026-05-12T12:31:36Z",
  "published": "2024-03-27T21:30:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/util-linux/util-linux/security/advisories/GHSA-xv2h-c6ww-mrjq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28085"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-202008.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/skyler-ferrante/CVE-2024-28085"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://mirrors.edge.kernel.org/pub/linux/utils/util-linux"
    },
    {
      "type": "WEB",
      "url": "https://people.rit.edu/sjf5462/6831711781/wall_2_27_2024.txt"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240531-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2024/03/27/5"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Mar/35"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/27/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/27/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/27/7"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/27/8"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/27/9"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/28/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/28/2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/03/28/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2VW-H337-2GXM

Vulnerability from github – Published: 2025-02-28 03:30 – Updated: 2025-02-28 03:30
VLAI
Details

IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD console could allow an authenticated user to execute code due to improper neutralization of escape characters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-0975"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-28T03:15:10Z",
    "severity": "HIGH"
  },
  "details": "IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD console could allow an authenticated user to execute code due to improper neutralization of escape characters.",
  "id": "GHSA-r2vw-h337-2gxm",
  "modified": "2025-02-28T03:30:55Z",
  "published": "2025-02-28T03:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0975"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7183467"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R4GV-VJ59-CCCM

Vulnerability from github – Published: 2021-06-23 17:27 – Updated: 2021-05-21 18:06
VLAI
Summary
Control character injection in console output in github.com/ipfs/go-ipfs
Details

Impact

Control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action.

Patches

  • Patched via https://github.com/ipfs/go-ipfs/pull/7831 in v0.8.0

For more information

If you have any questions or comments about this advisory: * Open an issue in go-ipfs * Email us at security@ipfs.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ipfs/go-ipfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-26283"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-150"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-21T18:06:39Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nControl characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action.\n\n### Patches\n\u003c!-- _Has the problem been patched? What versions should users upgrade to?_  --\u003e\n\n- Patched via https://github.com/ipfs/go-ipfs/pull/7831 in v0.8.0\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ipfs](http://github.com/ipfs/go-ipfs)\n* Email us at [security@ipfs.io](mailto:security@ipfs.io)",
  "id": "GHSA-r4gv-vj59-cccm",
  "modified": "2021-05-21T18:06:39Z",
  "published": "2021-06-23T17:27:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/go-ipfs/security/advisories/GHSA-r4gv-vj59-cccm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26283"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/go-ipfs/pull/7831"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipfs/go-ipfs/commit/fb0a9acd2d8288bd1028c3219a420de62a09683a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Control character injection in console output in github.com/ipfs/go-ipfs "
}

GHSA-R95J-4JVF-MRRW

Vulnerability from github – Published: 2025-02-27 15:31 – Updated: 2025-02-27 17:16
VLAI
Summary
MongoDB Shell may be susceptible to control character Injection via shell output
Details

The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.

The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.

This issue affects mongosh versions prior to 2.3.9.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mongosh"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-27T17:16:09Z",
    "nvd_published_at": "2025-02-27T13:15:11Z",
    "severity": "LOW"
  },
  "details": "The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.\n\nThe vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.\n\nThis issue affects mongosh versions prior to 2.3.9.",
  "id": "GHSA-r95j-4jvf-mrrw",
  "modified": "2025-02-27T17:16:09Z",
  "published": "2025-02-27T15:31:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1693"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mongodb-js/mongosh"
    },
    {
      "type": "WEB",
      "url": "https://jira.mongodb.org/browse/MONGOSH-2026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "MongoDB Shell may be susceptible to control character Injection via shell output"
}

GHSA-RRV5-483W-XMR9

Vulnerability from github – Published: 2025-04-23 18:31 – Updated: 2025-04-24 00:31
VLAI
Details

In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-58251"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-23T18:16:03Z",
    "severity": "LOW"
  },
  "details": "In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.",
  "id": "GHSA-rrv5-483w-xmr9",
  "modified": "2025-04-24T00:31:19Z",
  "published": "2025-04-23T18:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58251"
    },
    {
      "type": "WEB",
      "url": "https://bugs.busybox.net/show_bug.cgi?id=15922"
    },
    {
      "type": "WEB",
      "url": "https://www.busybox.net"
    },
    {
      "type": "WEB",
      "url": "https://www.busybox.net/downloads"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/04/23/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFWW-5HM6-HX2J

Vulnerability from github – Published: 2025-10-27 18:31 – Updated: 2026-05-13 16:23
VLAI
Summary
Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences
Details

Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.

The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0-M1"
            },
            {
              "fixed": "11.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0-M1"
            },
            {
              "fixed": "10.1.45"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.40"
            },
            {
              "fixed": "9.0.109"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.5.60"
            },
            {
              "last_affected": "8.5.100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0-M1"
            },
            {
              "fixed": "11.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0-M1"
            },
            {
              "fixed": "10.1.45"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.40"
            },
            {
              "fixed": "9.0.109"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat.embed:tomcat-embed-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.5.60"
            },
            {
              "last_affected": "8.5.100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat-catalina"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0-M1"
            },
            {
              "fixed": "11.0.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat-catalina"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.1.0-M1"
            },
            {
              "fixed": "10.1.45"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat-catalina"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.40"
            },
            {
              "fixed": "9.0.109"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat-catalina"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.5.60"
            },
            {
              "last_affected": "8.5.100"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-55754"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-150"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-28T17:57:42Z",
    "nvd_published_at": "2025-10-27T18:15:42Z",
    "severity": "LOW"
  },
  "details": "Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.\n\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.",
  "id": "GHSA-vfww-5hm6-hx2j",
  "modified": "2026-05-13T16:23:31Z",
  "published": "2025-10-27T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55754"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/138d7f5cfaae683078948303333c080e6faa75d2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/5a3db092982c0c58d4855304167ee757fe5e79bb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/a03cabf3a36a42d27d8d997ed31f034f50ba6cd5"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tomcat"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/10/27/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences"
}

Mitigation

Developers should anticipate that escape, meta and control characters/sequences will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-28
Implementation

Strategy: Output Encoding

While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).

Mitigation MIT-20
Implementation

Strategy: Input Validation

Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

Mitigation
Implementation

When using output from an LLM, neutralize or strip escape codes before redirecting output to the terminal or other rendering engine that would process the codes. The neutralization could require that the character be printable and/or allowable whitespace, such as a carriage return or newline. Be deliberate about what to allow.

Mitigation
Build and Compilation

When using an LLM: during tokenizer training, suppress escape codes from the tokenizer's vocabulary. Depending on context, this could be accomplished by removing the codes from input to the tokenizer, or removing the map from the string to its token ID. It is generally unlikely that this removal would adversely affect the quality or correctness of what is generated, e.g. advice requests for terminal settings to change colors.

CAPEC-134: Email Injection

An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.

CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads

This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.

CAPEC-81: Web Server Logs Tampering

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

CAPEC-93: Log Injection-Tampering-Forging

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.