Apache Tomcat LoadBalancerDrainingValve Open Redirect Vulnerability Exposes Web Applications to Phishing Attacks

A confirmed Open Redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve component allows attackers to redirect users to untrusted websites, primarily enabling phishing and credential theft campaigns. The flaw affects multiple major Tomcat versions across the 8.5, 9.0, 10.1, and 11.0 branches, creating a wide attack surface across enterprise Java deployments.

The vulnerability exists in how LoadBalancerDrainingValve handles redirection requests during server maintenance and draining operations. Attackers can craft malicious URLs that appear to originate from trusted Tomcat servers, fooling users into entering credentials on fake login pages. Affected versions include 8.5.30 through 8.5.100, 9.0.0.M23 through 9.0.115, 10.1.0-M1 through 10.1.52, and 11.0.0-M1 through 11.0.18. Version 8.5.x reaches end-of-life status, receiving no patches.

Organizations running affected Tomcat instances should immediately upgrade to patched releases: 9.0.116, 10.1.53, or 11.0.20. For organizations unable to patch immediately, network-level restrictions on external redirections from Tomcat endpoints provides interim protection. Security teams should audit existing Tomcat deployments for LoadBalancerDrainingValve usage and monitor for anomalous redirection patterns, particularly in authentication flows. The ASF has classified this as a medium-severity issue, but its exploitation simplicity and prevalence of Tomcat in production environments warrant urgent attention.