A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change.
The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
“A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes,” the project maintainers said in an advisory.
“When a user’s password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable.”
Successful exploitation of the flaw could enable an attacker to maintain continued access to the application through old sessions even after password changes. It could also enable unfettered access if credentials were compromised.
The shortcoming has been addressed in version 6.1.5 by implementing centralized session management such that all active sessions are invalidated when passwords are changed or users are disabled.
Security researcher Haining Meng has been credited with discovering and reporting the vulnerability.
The disclosure comes weeks after another critical vulnerability was disclosed in Apache Parquet’s Java Library (CVE-2025-30065, CVSS score: 10.0) that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances.
Last month, a critical security flaw impacting Apache Tomcat (CVE-2025-24813, CVSS score: 9.8) came under active exploitation shortly after details of the bug became public knowledge.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Majority of Browser Extensions Can Access Sensitive Enterprise Data, New Report Finds