If we have restful application that implements PUT for JSON and XML, then are we affected by this? I don't understand how client could upload something to /WEB-INF/ or /META-INF/ by PUT?
Document says: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.110 " Fixed in Apache Tomcat 9.0.109 Low: Console manipulation via escape sequences in log messages CVE-2025-55754 Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This was fixed with commit a03cabf3. This issue was reported to the Tomcat security team on 5 August 2025. The issue was made public on 27 October 2025. Affects: 9.0.40 to 9.0.108 Important: Directory traversal via Rewrite Valve with possible remote code execution if PUT is enabled CVE-2025-55752 The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This was fixed with commit b5042622. This issue was reported to the Tomcat security team on 11 August 2025. The issue was made public on 27 October 2025. Affects: 9.0.0.M11 to 9.0.108 "
