CVE-2025-55668 Overview
A Session Fixation vulnerability has been identified in Apache Tomcat's rewrite valve component. This vulnerability (CWE-384) allows attackers to potentially hijack user sessions by exploiting improper session handling in the rewrite valve functionality. Session fixation attacks enable malicious actors to set or force a user's session identifier, allowing them to impersonate legitimate users after authentication.
Critical Impact
Attackers can exploit this session fixation flaw to gain unauthorized access to authenticated user sessions, potentially compromising confidential data and user accounts on affected Apache Tomcat deployments.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.7
- Apache Tomcat 10.1.0-M1 through 10.1.41
- Apache Tomcat 9.0.0.M1 through 9.0.105
Discovery Timeline
- August 13, 2025 - CVE-2025-55668 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2025-55668
Vulnerability Analysis
This session fixation vulnerability exists within Apache Tomcat's rewrite valve component. Session fixation is an attack technique where an adversary sets a user's session identifier to a known value before the victim authenticates. Once the victim logs in with the fixed session ID, the attacker can use that same session identifier to access the authenticated session.
The rewrite valve in Apache Tomcat is used to implement URL rewriting rules similar to Apache HTTP Server's mod_rewrite. The vulnerability occurs when this component improperly handles session identifiers during URL rewriting operations, potentially allowing session tokens to be manipulated or fixed by external actors.
This flaw is exploitable over the network and requires user interaction, meaning an attacker would need to trick a victim into clicking a malicious link or visiting a crafted URL. While no authentication is required to initiate the attack, successful exploitation could result in high confidentiality impact through unauthorized access to sensitive session data.
Root Cause
The root cause of this vulnerability lies in the improper session management within the rewrite valve component. The rewrite valve fails to properly regenerate or validate session identifiers during URL rewriting operations, allowing attackers to inject or fix session tokens that persist through the authentication process. This violates secure session management principles which require session identifiers to be regenerated upon authentication state changes.
Attack Vector
The attack vector for CVE-2025-55668 is network-based and requires user interaction. An attacker can craft a malicious URL containing a predetermined session identifier and use the rewrite valve's functionality to set this session ID for the victim. The typical attack flow involves:
- The attacker generates or selects a valid session identifier
- A malicious URL is crafted that leverages the rewrite valve to associate this session ID with the victim's browser
- The victim is tricked into visiting this URL through phishing or social engineering
- When the victim authenticates, the session retains the attacker-controlled identifier
- The attacker uses the known session ID to access the victim's authenticated session
The vulnerability affects web applications hosted on vulnerable Apache Tomcat instances that utilize the rewrite valve for URL manipulation. Organizations using this functionality are particularly at risk.
Detection Methods for CVE-2025-55668
Indicators of Compromise
- Unusual session ID patterns appearing in access logs, particularly session tokens passed via URL parameters
- Multiple authentication events from different IP addresses using the same session identifier
- Session tokens appearing in referrer headers or URL query strings in server logs
- Login events where the session ID existed before authentication occurred
Detection Strategies
- Monitor web server access logs for session identifiers being passed in URL parameters through rewrite valve paths
- Implement anomaly detection for sessions being accessed from multiple distinct IP addresses or geographic locations
- Deploy web application firewalls (WAF) with rules to detect session fixation attack patterns
- Audit rewrite valve configurations in server.xml and rewrite.config for potentially vulnerable rules
Monitoring Recommendations
- Enable detailed access logging for all requests processed by the rewrite valve
- Configure session tracking to log session creation, usage, and destruction events
- Set up alerts for authentication events where session age is unusually high (indicating pre-existing sessions)
- Monitor for users reporting unexpected logouts or unauthorized account activity
How to Mitigate CVE-2025-55668
Immediate Actions Required
- Upgrade Apache Tomcat to patched versions: 11.0.8, 10.1.42, or 9.0.106 immediately
- Review and audit all rewrite valve configurations for security implications
- Consider temporarily disabling the rewrite valve if not critical to operations until patching is complete
- Implement additional session management controls at the application level
Patch Information
Apache has released security patches that address this session fixation vulnerability. Users are recommended to upgrade to the following fixed versions:
- Apache Tomcat 11.x: Upgrade to version 11.0.8 or later
- Apache Tomcat 10.1.x: Upgrade to version 10.1.42 or later
- Apache Tomcat 9.x: Upgrade to version 9.0.106 or later
Older, end-of-life (EOL) versions may also be affected and should be upgraded to supported versions. For detailed information, refer to the Apache Security Mailing List Post and the OpenWall OSS-Security Update.
Workarounds
- If upgrading is not immediately possible, consider disabling the rewrite valve by removing or commenting out the <Valve className="org.apache.catalina.valves.rewrite.RewriteValve"/> configuration
- Implement application-level session regeneration upon authentication to mitigate session fixation risks
- Use alternative URL rewriting mechanisms at the reverse proxy layer (e.g., Apache HTTP Server or Nginx) until Tomcat can be patched
- Configure session cookies with appropriate security attributes including HttpOnly, Secure, and SameSite flags
# Example: Commenting out rewrite valve in server.xml
# Before (vulnerable):
# <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
# After (disabled as workaround):
# <!-- Temporarily disabled due to CVE-2025-55668
# <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
# -->
# Verify Tomcat version after upgrade:
./catalina.sh version
# Expected output should show 11.0.8, 10.1.42, or 9.0.106 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
