CVE-2025-55668
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-13

Last updated on: 2025-11-04

Assigner: Apache Software Foundation

Description
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-13
Last Modified
2025-11-04
Generated
2026-05-27
AI Q&A
2025-08-13
EPSS Evaluated
2026-05-25
NVD
CVE-2025-55668
Affected Vendors & Products
Showing 30 associated CPEs
Vendor Product Version / Range
apache tomcat From 9.0.1 (inc) to 9.0.106 (exc)
apache tomcat From 10.0.0 (inc) to 10.1.42 (exc)
apache tomcat From 11.0.0 (inc) to 11.0.8 (exc)
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
apache tomcat 9.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Session Fixation issue in Apache Tomcat that occurs via the rewrite valve. It affects versions from 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, and 9.0.0.M1 through 9.0.105. Session Fixation allows an attacker to fixate a user's session ID, potentially enabling unauthorized access by forcing a user to use a known session ID.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker to hijack a user's session through session fixation, potentially gaining unauthorized access to the user's authenticated session. This can lead to unauthorized actions performed on behalf of the user without their consent.


What immediate steps should I take to mitigate this vulnerability?

Users are recommended to upgrade Apache Tomcat to version 11.0.8, 10.1.42, or 9.0.106, which fix the Session Fixation vulnerability in the rewrite valve.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart