CVE-2025-55668
📋 TL;DR
This CVE describes a session fixation vulnerability in Apache Tomcat's rewrite valve that allows attackers to hijack user sessions. Attackers can fixate session IDs before authentication, then use those sessions after users log in. This affects Tomcat 9.x, 10.x, and 11.x within specific version ranges.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to authenticated user sessions, potentially compromising sensitive data or performing privileged actions as legitimate users.
Likely Case
Session hijacking leading to unauthorized access to user accounts and potential data exposure.
If Mitigated
Limited impact with proper session management controls, but still presents authentication bypass risk.
🎯 Exploit Status
Exploitation requires ability to set session IDs and knowledge of rewrite valve configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.8, 10.1.42, or 9.0.106
Vendor Advisory: https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47
Restart Required: Yes
Instructions:
1. Download patched version from Apache Tomcat website. 2. Backup current installation. 3. Replace Tomcat installation with patched version. 4. Restart Tomcat service.
🔧 Temporary Workarounds
Disable Rewrite Valve
allRemove or comment out rewrite valve configuration in server.xml
Edit $CATALINA_HOME/conf/server.xml and remove or comment out <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
🧯 If You Can't Patch
- Implement additional session validation in applications to detect session fixation attempts
- Configure web application firewalls to monitor for session manipulation patterns
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version and verify rewrite valve is configured in server.xmlCheck Version:
java -cp $CATALINA_HOME/lib/catalina.jar org.apache.catalina.util.ServerInfoVerify Fix Applied:
Verify Tomcat version is 11.0.8+, 10.1.42+, or 9.0.106+📡 Detection & Monitoring
Log Indicators:
- Multiple session creations from same IP with different session IDs
- Session ID changes after authentication
Network Indicators:
- Unusual session parameter manipulation in HTTP requests
SIEM Query:
source="tomcat" AND (event="SESSION_CREATED" OR event="SESSION_ID_CHANGED")