A critical vulnerability in Apache Roller could allow attackers to abuse previous sessions to maintain persistent access even after password changes.
An open source, Java-based blog server, Roller includes a content management system, multi-user support with three permission levels, integrated search, and support for templates and themes.
Last week, Apache warned that Roller version 6.1.5 was released with patches for a critical-severity bug in the software’s session management functionality that resulted in active user sessions not being properly invalidated.
Tracked as CVE-2025-24859 (CVSS score of 10/10), the issue resulted in existing sessions remaining active even after the users changed their passwords. These sessions, Apache warned, could be used to maintain persistent access to the server.
“This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised,” Apache explains.
All Roller versions up to and including 6.1.4 are affected by the security defect. Roller version 6.1.5 comes with a centralized session management improvement to properly invalidate all active sessions upon password changes or when a user account is disabled.
According to the release notes, the latest Roller iteration implements RollerLoginSessionManager for better session tracking and improves cache handling for user sessions.
This is the second critical-severity vulnerability with a maximum severity rating that Apache has resolved over the past two weeks, after patching CVE-2025-30065 in Apache Parquet.
Described as the deserialization of untrusted data in the parquet-avro module, the Parquet bug could be exploited remotely for arbitrary code execution, potentially leading to complete system takeover.
Related: Exploit Code for Apache Tomcat RCE Vulnerability Published on Chinese Forum
Related: CISA Urges Urgent Patching for Exploited CentreStack, Windows Zero-Days
Related: Vulnerabilities Patched by Ivanti, VMware, Zoom
Related: Exploitation of Recent Critical Apache Struts 2 Flaw Begins
