CVE-2025-55668

NameCVE-2025-55668
DescriptionSession Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1111098, 1111099

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat10 (PTS)bookworm, bookworm (security)10.1.34-0+deb12u2vulnerable
forky, sid, trixie10.1.40-1vulnerable
tomcat11 (PTS)forky, sid, trixie11.0.6-1vulnerable
tomcat9 (PTS)bullseye9.0.43-2~deb11u10vulnerable
bullseye (security)9.0.107-0+deb11u1fixed
bookworm9.0.70-2fixed
forky, sid, trixie9.0.95-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat10source(unstable)(unfixed)1111098
tomcat11source(unstable)(unfixed)1111099
tomcat9source(unstable)9.0.70-2

Notes

Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
https://lists.apache.org/thread/v6bknr96rl7l1qxkl1c03v0qdvbbqs47
https://github.com/apache/tomcat/commit/90306d971bb8b8393336d893644124fb2ca11d21 (11.0.8)
https://github.com/apache/tomcat/commit/8621e4c6ba2c916a41eb34cb0f781171ead33fb6 (10.1.42)
https://github.com/apache/tomcat/commit/9c3673ba04009377cb0c81ccb6cf5078aec1aa95 (9.0.106)

Search for package or bug name: Reporting problems