A critical vulnerability has been discovered in Apache Roller, the open-source, Java-based blogging platform. That could let attackers retain access even after a user’s password is changed. Identified as CVE-2025-24859, the flaw carries the highest possible CVSS score of 10.0, highlighting its severity.
This issue impacts all versions of Apache Roller up to and including version 6.1.4.
According to a security advisory from the project’s maintainers, the vulnerability stems from improper session invalidation. Specifically, when a user’s password is updated—either by themselves or an administrator. Existing active sessions are not terminated, allowing previous logins to remain valid.
This lapse can allow attackers to maintain unauthorized access if they had previously compromised credentials, essentially bypassing a password reset or lockout attempt. The flaw could potentially be exploited to escalate access or carry out persistent attacks.
The bug has been fixed in version 6.1.5, which introduces centralized session management. With this update, all active user sessions are now invalidated automatically when a password is changed or an account is disabled.
The vulnerability was responsibly reported by security researcher Haining Meng, who has been credited for the discovery.
This disclosure follows closely after the revelation of another critical issue in Apache Parquet’s Java Library (CVE-2025-30065), which also earned a CVSS score of 10.0, and a separate Apache Tomcat flaw (CVE-2025-24813) that saw real-world exploitation shortly after becoming public.
