Patch Now: Apache Tomcat Fixes Session Fixation and ‘MadeYouReset’ Flaws

The Apache Tomcat Project has issued important updates addressing two significant vulnerabilities affecting multiple supported versions of the popular open-source application server. The flaws — CVE-2025-55668 and CVE-2025-48989 — could enable session fixation attacks and denial-of-service (DoS) via the “MadeYouReset” HTTP/2 technique.

The first vulnerability (CVE-2025-55668) is described as a “Session Fixation vulnerability in Apache Tomcat via rewrite valve.” It affects:

• Tomcat 11.0.0-M1 through 11.0.7
• Tomcat 10.1.0-M1 through 10.1.41
• Tomcat 9.0.0.M1 through 9.0.105
• Potentially older, end-of-life versions

Session fixation vulnerabilities occur when an attacker can force or set a user’s session ID before login, potentially allowing them to hijack the session later. In Tomcat’s case, the issue arises in the rewrite valve mechanism, which handles URL rewriting to preserve session identifiers.

Apache recommends upgrading immediately to Tomcat 11.0.8, 10.1.42, or 9.0.106, which contain the necessary fixes.

The second flaw (CVE-2025-48989), rated High severity, is an “Improper Resource Shutdown or Release vulnerability in Apache Tomcat [that] made Tomcat vulnerable to the made you reset attack.”

This vulnerability affects:

• Tomcat 11.0.0-M1 through 11.0.9
• Tomcat 10.1.0-M1 through 10.1.43
• Tomcat 9.0.0.M1 through 9.0.107

MadeYouReset — tracked as CVE-2025-8671 in broader advisories — is a recently disclosed HTTP/2 protocol abuse method that allows an attacker to overwhelm a server by exploiting mismatches between protocol stream resets and backend request handling. In Tomcat, this flaw could be leveraged to cause resource exhaustion, leading to service disruption.

Apache advises upgrading to Tomcat 11.0.10, 10.1.44, or 9.0.108 to eliminate the vulnerability.

Related Posts:

• Apache Tomcat Patches 4 Flaws: DoS, Privilege Bypass, & Installer Risks Addressed
• Apache Tomcat Under Attack: Massive Brute-Force Campaign Targets Manager Interfaces
• CVE-2024-56529: mailcow Patches Session Fixation Vulnerability in Web Panel
• Critical ABB EIBPORT Flaw: Update Now to Prevent Building Automation Hijacks!