CVE-2025-55668

Description

Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

How to fix CVE-2025-55668

To remediate CVE-2025-55668, upgrade the affected package to a fixed version below.

• —upgrade to 9.0.106 or later
• —upgrade to 10.1.52-1~deb12u1 or later
• —upgrade to 11.0.15-1~deb13u1 or later
• —upgrade to 9.0.70-2 or later
• —upgrade to 11.0.8 or later

Is CVE-2025-55668 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 9.0.106, >= 10.0.0, < 10.1.42, >= 11.0.0, < 11.0.8
• from 0, < 10.1.52-1~deb12u1
• from 0, < 11.0.15-1~deb13u1
• from 0, < 9.0.70-2
• >= 11.0.0-M1, < 11.0.8

CVSS scores

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-55668
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-55668
• PATCHgithub.com/apache/tomcat
• WEBgithub.com/apache/tomcat/commit/8621e4c6ba2c916a41eb34cb0f781171ead33fb6