Apache Roller Open-Source, a Java-based blog server software, reveals a critical security vulnerability that allows malicious actors to maintain unauthorized access even after changing their passwords.
The defect assigned to the CVE identifier CVE-2025-24859 has a CVSS score of 10.0, indicating the maximum severity. It affects all versions of the roller, including 6.1.4.
“A session management vulnerability exists in Apache Roller before version 6.1.5, when active user sessions are not properly disabled after the password has been changed,” the project maintainer said in its advisory.
“If the user’s password is changed by himself or by the administrator, the existing session remains active and available.”
The successful exploitation of the flaws allows an attacker to maintain continuous access to the application through the old session, even after the password has been changed. It may also allow for free access if your credentials are compromised.
The drawback is addressed in version 6.1.5 by implementing central session management so that all active sessions are disabled when passwords are changed or when users are disabled.
Security researchers have known to have made the Meng a Haining Meng and have discovered and reported vulnerabilities.
This disclosure comes weeks after another critical vulnerability was disclosed in Apache Parquet’s Java Library (CVE-2025-30065, CVSS score: 10.0).
Last month, a critical security flaw affecting Apache Tomcat (CVE-2025-24813, CVSS score: 9.8) was subjected to active exploitation shortly after the bug details became public knowledge.
Source link
