5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-25854
README.md
Rendering markdown...
POC / analysis.md MD
⬇ Raw GitHub ✕ Close 
# Technical Analysis

## 1. Root Cause

A behavior in `LoadBalancerDrainingValve` may allow a remote attacker to trigger an attacker‑controlled **cross‑system redirect** during session invalidation on a disabled (draining) node.  
If the request URI begins with `//`, Tomcat preserves this value and uses it to construct a redirect target. Browsers interpret such URLs as protocol‑relative, causing navigation to a different domain.

In multi‑domain deployments (e.g., `victim01.com` and `victim02.com` belonging to the same organization), this can result in a redirect from one trusted domain to another **while carrying attacker‑controlled session or flow parameters**, potentially affecting payment flows, SSO/OIDC authentication, or identity‑binding logic.

This redirect is generated by Tomcat itself, not by application code.

## 2. Trigger Path
When a request reaches a Tomcat node marked as *disabled* (draining), `LoadBalancerDrainingValve`:

1. Detects an invalid session identifier  
2. Removes the session  
3. Constructs a redirect target using the raw request URI  

If the request URI begins with `//victim02.com/...`, Tomcat treats it as a valid absolute‑path and preserves the leading slashes. The Valve then emits a redirect such as:

```
Location: //victim02.com/sso;JSESSIONID=attacker_victim02_sessionid?token=AttackerInjectedToken&uid=AttackerUid&flowId=maliciousFlowId
```

Browsers interpret this as:

```
https://victim02.com/sso;JSESSIONID=attacker_victim02_sessionid?token=AttackerInjectedToken&uid=AttackerUid&flowId=maliciousFlowId
```

This results in a **cross‑system redirect** from `victim01.com` to `victim02.com`, carrying attacker‑controlled parameters.

Because the redirect occurs **immediately after session invalidation**, the application may be in the middle of:

- SSO / OIDC login initiation  
- OAuth authorization  
- Payment authorization flows  
- Identity‑binding or session‑binding logic  
- Flow‑based access control  

The attacker‑controlled redirect may cause the second system (`victim02.com`) to bind the victim’s identity or authorization state to attacker‑controlled parameters.

This is a cross‑system security boundary violation.

## 3. Impact Analysis
- Cross‑System Open Redirect
- Target System Session Fixation

## 4. Why Existing Protections Failed
(Optional but recommended for high-impact vulnerabilities.)

## 5. Patch / Mitigation Analysis
- Disable LoadBalancerDrainingValve  
- Rejecting or normalizing request URIs beginning with `//` before they reach `LoadBalancerDrainingValve`