CVE-2025-55668

MEDIUM

Apache Tomcat <11.0.7, <10.1.41, <9.0.105 - Session Fixation

Title source: llm

Description

Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Exploits (1)

nomisec WRITEUP

by gregk4sec · poc

https://github.com/gregk4sec/CVE-2025-55668

View Code ZIP pw:eip

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47

[Mailing List] http://www.openwall.com/lists/oss-security/2025/08/13/3

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 4.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Details

CWE

CWE-384

Status published

Products (3)

apache/tomcat 9.0.0 milestone1 (27 CPE variants)

apache/tomcat 9.0.1 - 9.0.106

org.apache.tomcat/tomcat-catalina 11.0.0-M1 - 11.0.8Maven

Published Aug 13, 2025

Tracked Since Feb 18, 2026