A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change.
The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes,” the project maintainers said in an advisory.
“When a user’s password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable.”
Successful exploitation of the flaw could enable an attacker to maintain continued access to the application through old sessions even after password changes. It could also enable unfettered access if credentials were compromised.
The shortcoming has been addressed in version 6.1.5 by implementing centralized session management such that all active sessions are invalidated when passwords are changed or users are disabled.
Security researcher Haining Meng has been credited with discovering and reporting the vulnerability.
The disclosure comes weeks after another critical vulnerability was disclosed in Apache Parquet’s Java Library (CVE-2025-30065, CVSS score: 10.0) that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances.
Last month, a critical security flaw impacting Apache Tomcat (CVE-2025-24813, CVSS score: 9.8) came under active exploitation shortly after details of the bug became public knowledge.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Majority of Browser Extensions Can Access Sensitive Enterprise Data, New Report Finds