2388226 – (CVE-2025-55668) CVE-2025-55668 org.apache.tomcat/tomcat-catalina: tomcat: Apache Tomcat: session fixation via rewrite valve

Bug 2388226 (CVE-2025-55668) - CVE-2025-55668 org.apache.tomcat/tomcat-catalina: tomcat: Apache Tomcat: session fixation via rewrite valve

Summary: CVE-2025-55668 org.apache.tomcat/tomcat-catalina: tomcat: Apache Tomcat: sess...

Keywords:
Status:	NEW
Alias:	CVE-2025-55668
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2388416 2388417 2394345 2394346
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-13 14:01 UTC by OSIDB Bzimport
Modified:	2025-09-10 07:18 UTC (History)
CC List:	60 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-13 14:01:09 UTC

Session Fixation vulnerability in Apache Tomcat via rewrite valve.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Older, EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Note You need to log in before you can comment on or make changes to this bug.

aakkiang
aschwart
asoldano
bbaranow
bmaxwell
boliveir
brian.stansberry
cdewolf
cfu
csutherl
darran.lofthouse
dhanak
dkreling
dosoudil
drosa
dsirrine
dsoumis
edewata
fjuma
gkimetto
gmalinko
ibek
istudens
ivassile
iweiss
janstey
jclere
jmagne
jrokos
kverlaen
lgao
mfargett
mharmsen
mnovotny
mosmerov
mposolda
msochure
msvehla
nwallace
pdelbell
pesilva
pjindal
plodge
pmackay
prisingh
rmaucher
rstancel
rstepani
sausingh
sdawley
skhandel
smaestri
ssilvert
sthorger
szappis
taherrin
teagle
tom.jenkinson
vchlup
vmuzikar