Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence

Apr 15, 2025Ravie LakshmananVulnerability / Software Security

A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change.

The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4.

“A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes,” the project maintainers said in an advisory.

“When a user’s password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable.”

Successful exploitation of the flaw could enable an attacker to maintain continued access to the application through old sessions even after password changes. It could also enable unfettered access if credentials were compromised.

The shortcoming has been addressed in version 6.1.5 by implementing centralized session management such that all active sessions are invalidated when passwords are changed or users are disabled.

Security researcher Haining Meng has been credited with discovering and reporting the vulnerability.

The disclosure comes weeks after another critical vulnerability was disclosed in Apache Parquet’s Java Library (CVE-2025-30065, CVSS score: 10.0) that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances.

Last month, a critical security flaw impacting Apache Tomcat (CVE-2025-24813, CVSS score: 9.8) came under active exploitation shortly after details of the bug became public knowledge.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!