MEDIUM 6.5
GHSA-23hv-mwm6-g8jf
Apache Tomcat Session Fixation vulnerability
Details
Session Fixation vulnerability in Apache Tomcat via rewrite valve.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.apache.tomcat:tomcat-catalina
Introduced in:
11.0.0-M1 Fixed in: 11.0.8 Fix
# pom.xml: bump <version>11.0.8</version> for org.apache.tomcat:tomcat-catalina Maven / org.apache.tomcat:tomcat-catalina
Introduced in:
10.1.0-M1 Fixed in: 10.1.42 Fix
# pom.xml: bump <version>10.1.42</version> for org.apache.tomcat:tomcat-catalina Maven / org.apache.tomcat:tomcat-catalina
Introduced in:
9.0.0.M1 Fixed in: 9.0.106 Fix
# pom.xml: bump <version>9.0.106</version> for org.apache.tomcat:tomcat-catalina Maven / org.apache.tomcat.embed:tomcat-embed-core
Introduced in:
11.0.0-M1 Fixed in: 11.0.8 Fix
# pom.xml: bump <version>11.0.8</version> for org.apache.tomcat.embed:tomcat-embed-core Maven / org.apache.tomcat.embed:tomcat-embed-core
Introduced in:
10.1.0-M1 Fixed in: 10.1.42 Fix
# pom.xml: bump <version>10.1.42</version> for org.apache.tomcat.embed:tomcat-embed-core Maven / org.apache.tomcat.embed:tomcat-embed-core
Introduced in:
9.0.0.M1 Fixed in: 9.0.106 Fix
# pom.xml: bump <version>9.0.106</version> for org.apache.tomcat.embed:tomcat-embed-core References
- https://nvd.nist.gov/vuln/detail/CVE-2025-55668 [ADVISORY]
- https://github.com/apache/tomcat/commit/8621e4c6ba2c916a41eb34cb0f781171ead33fb6 [WEB]
- https://github.com/apache/tomcat/commit/90306d971bb8b8393336d893644124fb2ca11d21 [WEB]
- https://github.com/apache/tomcat/commit/9c3673ba04009377cb0c81ccb6cf5078aec1aa95 [WEB]
- https://github.com/apache/tomcat [PACKAGE]
- https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47 [WEB]
- https://tomcat.apache.org/security-10.html [WEB]
- https://tomcat.apache.org/security-11.html [WEB]
- https://tomcat.apache.org/security-9.html [WEB]
- http://www.openwall.com/lists/oss-security/2025/08/13/3 [WEB]