CVE-2025-55668

Published Aug 13, 2025

Last updated 7 months ago

CVSS medium 6.5

Overview

Description: Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Source: security@apache.org
NVD status: Analyzed
Products: tomcat

Risk scores

CVSS 3.1

Type: Secondary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Severity: MEDIUM

Weaknesses

security@apache.org: CWE-384

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "6D612584-5CB2-48F6-A969-0016A419FCB7",
            "versionEndExcluding": "9.0.106",
            "versionStartIncluding": "9.0.1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "B331712D-D798-4901-AE46-C9B57379410A",
            "versionEndExcluding": "10.1.42",
            "versionStartIncluding": "10.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "EE393E87-D325-4ABB-B49C-5863ECD3DD83",
            "versionEndExcluding": "11.0.8",
            "versionStartIncluding": "11.0.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*",
            "matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*",
            "matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*",
            "matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*",
            "matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*",
            "matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*",
            "matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*",
            "matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*",
            "matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*",
            "matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*",
            "matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*",
            "matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*",
            "matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*",
            "matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*",
            "matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*",
            "matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*",
            "matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*",
            "matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*",
            "matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*",
            "matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*",
            "matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*",
            "matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*",
            "matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*",
            "matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*",
            "matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*",
            "matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*",
            "matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*",
            "matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References