Session Fixation in org.apache.tomcat.embed:tomcat-embed-core

CVE-2025-55668

org.apache.tomcat.embed:tomcat-embed-core
org.apache.tomcat:tomcat-catalina

Medium

6.5/10

Summary

Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects org.apache.tomcat:tomcat-catalina: versions from 8.0.0-RC1 through 8.0.53, 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.105, 10.1.0-M1 through 10.1.41 and 11.0.0-M1 through 11.0.7.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References

Advisory
Mail Thread
Release Note

Advisory Timeline

Published Aug 13, 2025

Session Fixation in org.apache.tomcat.embed:tomcat-embed-core

CVE-2025-55668

Summary

CWE-384 - Session Fixation

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS