Apache Tomcat: session fixation via rewrite valve
Description
Session Fixation vulnerability in Apache Tomcat via rewrite valve.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Session Fixation in Apache Tomcat rewrite valve allows attackers to hijack sessions; fixed in 11.0.8, 10.1.42, 9.0.106.
Vulnerability
Overview CVE-2025-55668 is a Session Fixation vulnerability in Apache Tomcat's rewrite valve. The flaw allows an attacker to fixate a user's session identifier by leveraging the rewrite valve's behavior, potentially enabling session hijacking. This issue affects Apache Tomcat versions 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, and 9.0.0.M1 through 9.0.105; older end-of-life versions may also be affected [1][2][3][4].
Attack
Vector and Prerequisites To exploit this vulnerability, the attacker must be able to influence the session identifier via the rewrite valve, typically by crafting a malicious URL or request. No authentication is required for exploitation, but the victim must be using a vulnerable Tomcat instance with the rewrite valve enabled. The attacker can set a known session ID before the victim authenticates, leading to session fixation [4].
Impact
Successful exploitation allows an attacker to hijack a legitimate user's session after authentication, gaining unauthorized access to the user's session data and privileges. This could lead to data disclosure, privilege escalation, or further attacks within the context of the affected application.
Mitigation
The vulnerability is fixed in Apache Tomcat versions 11.0.8, 10.1.42, and 9.0.106. Users are strongly recommended to upgrade to these patched versions. For older, unsupported versions, upgrading to a supported release is advised. No workarounds have been disclosed [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-catalinaMaven | >= 11.0.0-M1, < 11.0.8 | 11.0.8 |
org.apache.tomcat:tomcat-catalinaMaven | >= 10.1.0-M1, < 10.1.42 | 10.1.42 |
org.apache.tomcat:tomcat-catalinaMaven | >= 9.0.0.M1, < 9.0.106 | 9.0.106 |
Affected products
2- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
390306d971bb8Encode redirect URL used by the rewrite valve with session id
3 files changed · +11 −3
java/org/apache/catalina/connector/Request.java+1 −1 modified@@ -519,7 +519,7 @@ public void recycle() { } - protected void recycleSessionInfo() { + public void recycleSessionInfo() { if (session != null) { try { session.endAccess();
java/org/apache/catalina/valves/rewrite/RewriteValve.java+5 −2 modified@@ -461,11 +461,13 @@ public void invoke(Request request, Response response) throws IOException, Servl if (context && urlStringEncoded.charAt(0) == '/' && !UriUtil.hasScheme(urlStringEncoded)) { urlStringEncoded.insert(0, request.getContext().getEncodedPath()); } + String redirectPath; if (rule.isNoescape()) { - response.sendRedirect(UDecoder.URLDecode(urlStringEncoded.toString(), uriCharset)); + redirectPath = UDecoder.URLDecode(urlStringEncoded.toString(), uriCharset); } else { - response.sendRedirect(urlStringEncoded.toString()); + redirectPath = urlStringEncoded.toString(); } + response.sendRedirect(response.encodeRedirectURL(redirectPath)); response.setStatus(rule.getRedirectCode()); done = true; break; @@ -577,6 +579,7 @@ public void invoke(Request request, Response response) throws IOException, Servl chunk.append(host.toString()); } request.getMappingData().recycle(); + request.recycleSessionInfo(); // Reinvoke the whole request recursively Connector connector = request.getConnector(); try {
webapps/docs/changelog.xml+5 −0 modified@@ -125,6 +125,11 @@ in a single URL segment. Based on pull request <pr>860</pr> by Chenjp. (markt) </fix> + <fix> + <bug>69699</bug>: Encode redirect URL used by the rewrite valve with + the session id if appropriate, and handle cross context with different + session configuration when using rewrite. (remm) + </fix> </changelog> </subsection> <subsection name="Coyote">
9c3673ba0400Encode redirect URL used by the rewrite valve with session id
3 files changed · +11 −3
java/org/apache/catalina/connector/Request.java+1 −1 modified@@ -547,7 +547,7 @@ public void recycle() { } - protected void recycleSessionInfo() { + public void recycleSessionInfo() { if (session != null) { try { session.endAccess();
java/org/apache/catalina/valves/rewrite/RewriteValve.java+5 −2 modified@@ -462,11 +462,13 @@ public void invoke(Request request, Response response) throws IOException, Servl if (context && urlStringEncoded.charAt(0) == '/' && !UriUtil.hasScheme(urlStringEncoded)) { urlStringEncoded.insert(0, request.getContext().getEncodedPath()); } + String redirectPath; if (rule.isNoescape()) { - response.sendRedirect(UDecoder.URLDecode(urlStringEncoded.toString(), uriCharset)); + redirectPath = UDecoder.URLDecode(urlStringEncoded.toString(), uriCharset); } else { - response.sendRedirect(urlStringEncoded.toString()); + redirectPath = urlStringEncoded.toString(); } + response.sendRedirect(response.encodeRedirectURL(redirectPath)); response.setStatus(rule.getRedirectCode()); done = true; break; @@ -578,6 +580,7 @@ public void invoke(Request request, Response response) throws IOException, Servl chunk.append(host.toString()); } request.getMappingData().recycle(); + request.recycleSessionInfo(); // Reinvoke the whole request recursively Connector connector = request.getConnector(); try {
webapps/docs/changelog.xml+5 −0 modified@@ -121,6 +121,11 @@ the new <code>ParameterLimitValve</code>. The valve allows configurable URL-specific limits on the number of parameters. (dsoumis) </add> + <fix> + <bug>69699</bug>: Encode redirect URL used by the rewrite valve with + the session id if appropriate, and handle cross context with different + session configuration when using rewrite. (remm) + </fix> </changelog> </subsection> <subsection name="Coyote">
8621e4c6ba2cEncode redirect URL used by the rewrite valve with session id
3 files changed · +11 −3
java/org/apache/catalina/connector/Request.java+1 −1 modified@@ -517,7 +517,7 @@ public void recycle() { } - protected void recycleSessionInfo() { + public void recycleSessionInfo() { if (session != null) { try { session.endAccess();
java/org/apache/catalina/valves/rewrite/RewriteValve.java+5 −2 modified@@ -462,11 +462,13 @@ public void invoke(Request request, Response response) throws IOException, Servl if (context && urlStringEncoded.charAt(0) == '/' && !UriUtil.hasScheme(urlStringEncoded)) { urlStringEncoded.insert(0, request.getContext().getEncodedPath()); } + String redirectPath; if (rule.isNoescape()) { - response.sendRedirect(UDecoder.URLDecode(urlStringEncoded.toString(), uriCharset)); + redirectPath = UDecoder.URLDecode(urlStringEncoded.toString(), uriCharset); } else { - response.sendRedirect(urlStringEncoded.toString()); + redirectPath = urlStringEncoded.toString(); } + response.sendRedirect(response.encodeRedirectURL(redirectPath)); response.setStatus(rule.getRedirectCode()); done = true; break; @@ -578,6 +580,7 @@ public void invoke(Request request, Response response) throws IOException, Servl chunk.append(host.toString()); } request.getMappingData().recycle(); + request.recycleSessionInfo(); // Reinvoke the whole request recursively Connector connector = request.getConnector(); try {
webapps/docs/changelog.xml+5 −0 modified@@ -121,6 +121,11 @@ the new <code>ParameterLimitValve</code>. The valve allows configurable URL-specific limits on the number of parameters. (dsoumis) </add> + <fix> + <bug>69699</bug>: Encode redirect URL used by the rewrite valve with + the session id if appropriate, and handle cross context with different + session configuration when using rewrite. (remm) + </fix> </changelog> </subsection> <subsection name="Coyote">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-23hv-mwm6-g8jfghsaADVISORY
- lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-55668ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/08/13/3ghsaWEB
- github.com/apache/tomcat/commit/8621e4c6ba2c916a41eb34cb0f781171ead33fb6ghsaWEB
- github.com/apache/tomcat/commit/90306d971bb8b8393336d893644124fb2ca11d21ghsaWEB
- github.com/apache/tomcat/commit/9c3673ba04009377cb0c81ccb6cf5078aec1aa95ghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
News mentions
0No linked articles in our index yet.