A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change.
The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4.
“A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes,” the project maintainers said in an advisory.
“When a user’s password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable.”
Successful exploitation of the flaw could enable an attacker to maintain continued access to the application through old sessions even after password changes. It could also enable unfettered access if credentials were compromised.
The shortcoming has been addressed in version 6.1.5 by implementing centralized session management such that all active sessions are invalidated when passwords are changed or users are disabled.
Security researcher Haining Meng has been credited with discovering and reporting the vulnerability.
The disclosure comes weeks after another critical vulnerability was disclosed in Apache Parquet’s Java Library (CVE-2025-30065, CVSS score: 10.0) that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances.
Last month, a critical security flaw impacting Apache Tomcat (CVE-2025-24813, CVSS score: 9.8) came under active exploitation shortly after details of the bug became public knowledge.
