CVE-2025-55668— Apache Tomcat: session fixation via rewrite valve
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-55668
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Tomcat: session fixation via rewrite valve
Source: NVD (National Vulnerability Database)
Vulnerability Description
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
会话固定
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Tomcat 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。用于实现对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat 11.0.0-M1至11.0.7版本、10.1.0-M1至10.1.41版本和9.0.0.M1至9.0.105版本存在授权问题漏洞,该漏洞源于rewrite valve导致的会话固定问题。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Tomcat | 11.0.0-M1 ~ 11.0.7 | - |
II. Public POCs for CVE-2025-55668
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Apache Tomcat - Session fixation via rewrite valve | https://github.com/gregk4sec/CVE-2025-55668 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-55668
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: Apache Tomcat
- CVE-2026-43515
Apache Tomcat: Security constraints not correctly applied - CVE-2026-43514
Apache Tomcat: AJP secret compared in non-constant time - CVE-2026-43513
Apache Tomcat: LockOutRealm treats user names as case-sensit - CVE-2026-43512
Apache Tomcat: Digest authenticator will authenticate any un - CVE-2026-41293
Apache Tomcat: HTTP/2 request headers not validated
Same vendor: Apache Software Foundation
- CVE-2026-44417
Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS - CVE-2026-44618
Apache CXF: XXE vulnerability in WS-Transfer functionality - CVE-2026-44930
Apache CXF: LDAP Injection vulnerability in XKMS LDAP Reposi - CVE-2026-48207
Apache Fory: PyFory ReduceSerializer Incomplete Policy Enfor - CVE-2026-45760
Apache Camel K: Camel K Cross-Namespace Build Deputy Attack
Same weakness: CWE-384
- CVE-2026-41613
Visual Studio Code Elevation of Privilege Vulnerability - CVE-2026-30808
Session Fixation in Authentication leads to Session Hijackin - CVE-2025-46605
Dell PowerProtect Data Domain(Dell PowerProtect DD) 安全漏洞 - CVE-2026-31940
Session Fixation in Chamilo LMS - CVE-2026-33946
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream
V. Comments for CVE-2025-55668
No comments yet