VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 25, 2023· Updated Oct 29, 2025

Apache Tomcat: Open redirect with FORM authentication

CVE-2023-41080

Description

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected.

The vulnerability is limited to the ROOT (default) web application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An open redirect in Apache Tomcat's FORM authentication can redirect users to untrusted external sites, enabling phishing attacks.

Vulnerability

Overview

CVE-2023-41080 is an open redirect vulnerability in the FORM authentication feature of Apache Tomcat. The vulnerability allows an attacker to redirect users to untrusted external sites. The issue occurs when the savedRequestURL method in the authenticator constructs a redirect URL without properly sanitizing protocol-relative or absolute redirects, as shown in the fix commits [3] and [4] where a loop removes leading characters after the first character to avoid protocol-relative redirects.

Exploitation

Conditions

To exploit this vulnerability, an attacker needs to craft a login request that includes a malicious redirect parameter. The FORM authentication process will then redirect the user's browser to the attacker-controlled site after successful authentication. The vulnerability is limited to the ROOT (default) web application, but unauthenticated attackers can trigger the redirect if the target Tomcat instance uses FORM-based authentication. No special network position is required; the attack can be performed remotely over HTTP or HTTPS [1].

Impact

A successful exploitation could allow an attacker to perform phishing attacks by redirecting users to a look-alike malicious site, potentially leading to credential theft or other social engineering attacks. The redirect is performed after authentication, but the user may be tricked into entering credentials on the malicious site. The CVSS score and vector are not yet published by NVD [1].

Mitigation

Apache has released commits that fix the issue in the affected versions [3][4]. Users should upgrade to a patched version: Tomcat 11.0.0-M11 or later, 10.1.13 or later, 9.0.80 or later, 8.5.93 or later. Older, EOL versions may also be vulnerable and no patches are available, so upgrading to a supported version is recommended [1].

References
  1. NVD - CVE-2023-41080
  2. Avoid protocol relative redirects · apache/tomcat@77c0ce2
  3. Avoid protocol relative redirects · apache/tomcat@bb4624a

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 11.0.0-M1, < 11.0.0-M1111.0.0-M11
org.apache.tomcat:tomcatMaven
>= 10.1.0-M1, < 10.1.1310.1.13
org.apache.tomcat:tomcatMaven
>= 9.0.0-M1, < 9.0.809.0.80
org.apache.tomcat:tomcatMaven
>= 8.5.0, < 8.5.938.5.93
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 8.5.0, < 8.5.938.5.93
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 9.0.0-M1, < 9.0.809.0.80
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 10.1.0-M1, < 10.1.1310.1.13
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 11.0.0-M1, < 11.0.0-M1111.0.0-M11

Affected products

35

Patches

4
e3703c9abb8f

Avoid protocol relative redirects

https://github.com/apache/tomcatMark ThomasAug 22, 2023via ghsa
commit
2 files changed · +9 0
  • java/org/apache/catalina/authenticator/FormAuthenticator.java+6 0 modified
    @@ -742,6 +742,12 @@ protected String savedRequestURL(Session session) {
             sb.append('?');
             sb.append(saved.getQueryString());
         }
+
+        // Avoid protocol relative redirects
+        while (sb.length() > 1 && sb.charAt(1) == '/') {
+            sb.deleteCharAt(0);
+        }
+
         return sb.toString();
     }
 }
  • webapps/docs/changelog.xml+3 0 modified
    @@ -125,6 +125,9 @@
         exceptions. As a consequence, the <code>FailedRequestFilter</code> has
         been removed. (markt)
       </add>
+      <fix>
+        Avoid protocol relative redirects in FORM authentication. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Web applications">
bb4624a9f3e6

Avoid protocol relative redirects

https://github.com/apache/tomcatMark ThomasAug 22, 2023via ghsa
commit
2 files changed · +9 0
  • java/org/apache/catalina/authenticator/FormAuthenticator.java+6 0 modified
    @@ -747,6 +747,12 @@ protected String savedRequestURL(Session session) {
             sb.append('?');
             sb.append(saved.getQueryString());
         }
+
+        // Avoid protocol relative redirects
+        while (sb.length() > 1 && sb.charAt(1) == '/') {
+            sb.deleteCharAt(0);
+        }
+
         return sb.toString();
     }
 }
  • webapps/docs/changelog.xml+3 0 modified
    @@ -117,6 +117,9 @@
         Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes
         and KiB for 1024 bytes rather than MB and kB. (martk)
       </fix>
+      <fix>
+        Avoid protocol relative redirects in FORM authentication. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Web applications">
77c0ce2d169e

Avoid protocol relative redirects

https://github.com/apache/tomcatMark ThomasAug 22, 2023via ghsa
commit
2 files changed · +9 0
  • java/org/apache/catalina/authenticator/FormAuthenticator.java+6 0 modified
    @@ -747,6 +747,12 @@ protected String savedRequestURL(Session session) {
             sb.append('?');
             sb.append(saved.getQueryString());
         }
+
+        // Avoid protocol relative redirects
+        while (sb.length() > 1 && sb.charAt(1) == '/') {
+            sb.deleteCharAt(0);
+        }
+
         return sb.toString();
     }
 }
  • webapps/docs/changelog.xml+3 0 modified
    @@ -117,6 +117,9 @@
         Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes
         and KiB for 1024 bytes rather than MB and kB. (martk)
       </fix>
+      <fix>
+        Avoid protocol relative redirects in FORM authentication. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Web applications">
4998ad745b67

Avoid protocol relative redirects

https://github.com/apache/tomcatMark ThomasAug 22, 2023via ghsa
commit
2 files changed · +9 0
  • java/org/apache/catalina/authenticator/FormAuthenticator.java+6 0 modified
    @@ -747,6 +747,12 @@ protected String savedRequestURL(Session session) {
             sb.append('?');
             sb.append(saved.getQueryString());
         }
+
+        // Avoid protocol relative redirects
+        while (sb.length() > 1 && sb.charAt(1) == '/') {
+            sb.deleteCharAt(0);
+        }
+
         return sb.toString();
     }
 }
  • webapps/docs/changelog.xml+3 0 modified
    @@ -117,6 +117,9 @@
         Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes
         and KiB for 1024 bytes rather than MB and kB. (martk)
       </fix>
+      <fix>
+        Avoid protocol relative redirects in FORM authentication. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Web applications">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.