Severe Security Flaw Found in Apache Roller Allows Persistent Unauthorized Access
A critical vulnerability has been identified in Apache Roller, the open-source Java-based blogging server, which could allow attackers to retain access even after a user changes their password.
Tracked as CVE-2025-24859 and carrying a maximum CVSS severity score of 10.0, the flaw affects all versions up to and including Roller 6.1.4. According to an advisory from project maintainers, the issue lies in improper session management, where active sessions remain valid even after a user or admin updates the account password.
"This means attackers could continue to use old sessions to access the system, posing a serious risk if credentials are compromised," the advisory noted.
Version 6.1.5 has resolved the issue by introducing centralized session management, ensuring that all active sessions are immediately terminated when passwords are updated or user accounts are disabled.
The vulnerability was responsibly reported by security researcher Haining Meng.
This disclosure follows the recent identification of another high-risk flaw in Apache Parquet's Java Library (CVE-2025-30065, CVSS score: 10.0), which could allow remote code execution. Additionally, last month, Apache Tomcat was hit with an actively exploited vulnerability (CVE-2025-24813, CVSS score: 9.8) shortly after public disclosure.
These incidents highlight the growing need for vigilance and timely patching within open-source ecosystems.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
