CVE-2025-55668: 
Java vulnerability analysis and mitigation

A Session Fixation vulnerability (CVE-2025-55668) was discovered in Apache Tomcat's rewrite valve functionality. The vulnerability affects multiple versions of Apache Tomcat: versions 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, and 9.0.0.M1 through 9.0.105. The vulnerability was disclosed on August 13, 2025, and received a CVSS 3.1 base score of 6.5 (Medium) (NVD, Apache List).

The vulnerability is classified as CWE-384 (Session Fixation) and affects the rewrite valve component of Apache Tomcat. When the rewrite valve is enabled for a web application, the vulnerability allows potential session manipulation. The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (Rapid7).

If successfully exploited, an attacker can craft a specific URL that, when clicked by a victim, forces their subsequent interactions with the resource to occur within the context of the attacker's session. This enables potential session hijacking, allowing the attacker to perform actions on behalf of the victim (Rapid7).

Users are strongly recommended to upgrade to the fixed versions: Apache Tomcat 11.0.8, 10.1.42, or 9.0.106. These versions contain the necessary security patches to address the vulnerability (Debian Tracker).