A severe security flaw has come to light in Apache Roller, the open-source blogging server software built on Java. This vulnerability endangers users by allowing unauthorized access even after changes to their passwords, raising significant security concerns.
Designated as CVE-2025-24859, this vulnerability has been rated with a CVSS score of 10.0, marking it as critically severe. It impacts all versions of Roller up to and including 6.1.4, thus posing a risk to a broad range of installations.
The advisory from project maintainers indicates, “A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes.” This means that even after a user updates their password, previous sessions remain active, effectively allowing unauthorized access.
If exploited, this flaw could enable attackers to retain access through old sessions, posing an ongoing risk even after a password change. Additionally, if a user’s credentials had been compromised, the implications could be severe, allowing unfettered access to sensitive data and functionalities.
This vulnerability has been remedied in version 6.1.5, which introduces centralized session management to ensure that all active sessions are invalidated when passwords are changed or when user accounts are disabled.
The vulnerability was discovered by security researcher Haining Meng, highlighting the importance of vigilant security practices within the software development community.
This disclosure occurs shortly after another significant vulnerability was revealed in Apache Parquet’s Java Library (CVE-2025-30065), which also carries a CVSS score of 10.0 and poses a risk of arbitrary code execution for remote attackers. Moreover, just a month prior, Apache Tomcat was found to have a critical flaw (CVE-2025-24813) with a CVSS rating of 9.8, indicating a troubling trend of potentially exploitable vulnerabilities across widely utilized Apache software.
