CVE-2025-55668

CVE-2025-55668: Apache Tomcat: session fixation via rewrite valve

Vendor Apache Software Foundation

Product Apache Tomcat

Weakness CWE-384 · Session fixation

Published August 13, 2025

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Key dates

Disclosure timeline

August 13, 2025 CVE published

November 4, 2025 Record updated

Identifiers

CVE CVE-2025-55668

CWE CWE-384

Affected versions

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 11.0.0-M1 and ≤ 11.0.7

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 10.1.0-M1 and ≤ 10.1.41

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 9.0.0.M1 and ≤ 9.0.105