CVE-2026-25854
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Apache Tomcat is an open-source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations, and Jakarta Authentication specifications, providing a pure Java HTTP web server environment for running Java code. It is one of the most widely used Java application servers.
A low-severity vulnerability (CVE-2026-25854) has been identified in the LoadBalancerDrainingValve component of Apache Tomcat. When a Tomcat node in a cluster with the LoadBalancerDrainingValve is in the disabled (draining) state, a specially crafted URL can be used to trigger a redirect to a URI of the attacker's choice.
Per OWASP: Open Redirect (also known as URL Redirection to Untrusted Site) occurs when a web application accepts user-controlled input that specifies a link to an external site, and uses that link in a redirect. This can be exploited for phishing attacks by redirecting users from a trusted domain to a malicious site.
This issue affects versions 8.5.30 through 8.5.100, 9.0.0.M23 through 9.0.115, 10.1.0-M1 through 10.1.52, and 11.0.0-M1 through 11.0.18 of Apache Tomcat.
Details
Module Info
- Product: Apache Tomcat
- Affected packages: tomcat-catalina
- Affected versions: >=8.5.30 <=8.5.100, >=9.0.0.M23 <=9.0.115, >=10.1.0-M1 <=10.1.52, >=11.0.0-M1 <=11.0.18
- GitHub repository: https://github.com/apache/tomcat
- Published packages: https://repo1.maven.org/maven2/org/apache/tomcat/tomcat-catalina/
- Package manager: Maven
- Fixed in: Apache Tomcat 11.0.20, 10.1.53, 9.0.116 (OSS); NES for Apache Tomcat
Vulnerability Info
The vulnerability exists in LoadBalancerDrainingValve.java, which handles redirecting requests when a Tomcat node is in the draining state during cluster operations. The valve uses request.getRequestURI() directly in the Location response header without sanitization:
String uri = request.getRequestURI();
// ...
response.setHeader("Location", uri);
An attacker can supply a URI with multiple leading slashes, such as //evil.com/path. When this is set as the Location header value, browsers interpret it as a protocol-relative URL and redirect to evil.com.
Additionally, the regex used to strip jsessionid parameters from the URI was overly permissive:
uri = uri.replaceFirst(";" + sessionURIParamName + "=[^&?]*", "");
The character class [^&?]* does not stop at ; or / characters, potentially allowing a crafted jsessionid value to influence the redirect path.
The fix adds a collapseLeadingSlashes() method that collapses multiple leading / characters into a single /, preventing protocol-relative redirects. The jsessionid regex is also corrected to use [^;/]* instead.
The LoadBalancerDrainingValve was introduced in Tomcat 8.5.30 (backported March 29, 2018), which is why versions prior to 8.5.30 are not affected. Tomcat 7.x is also unaffected as the valve was never part of that release.
Steps To Reproduce
To exploit this vulnerability, a Tomcat instance must be configured with the LoadBalancerDrainingValve and be in the disabled (draining) state. The attacker sends a request with a protocol-relative URL:
GET //evil.com/phishing HTTP/1.1
Host: vulnerable-app.example.com
When the Tomcat node is draining, the valve issues a 302 redirect with the Location header set to //evil.com/phishing. The browser interprets this as a protocol-relative URL and redirects to evil.com/phishing, which the attacker controls.
Mitigation
Only recent versions of Apache Tomcat are community-supported. Older versions (8.5.x and earlier) will not receive any updates to address this issue. NES for Tomcat includes an update to 8.5.x to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Apache Tomcat.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credits
- Greg K (gregk4sec) (finder)
