Do Son 
A critical security vulnerability has been discovered in Apache Roller, an open-source Java-based blogging server. This flaw enables attackers to retain unauthorized access even after a user’s password has been changed.
The vulnerability has been assigned the identifier CVE-2025-24859 and has received the highest possible CVSS score of 10.0, marking it as extremely critical. All versions of Apache Roller up to and including 6.1.4 are affected.
“A session management vulnerability exists in Apache Roller versions prior to 6.1.5: active user sessions are not properly invalidated after a password change,” the developers stated in their advisory.
“When a user’s password is changed—regardless of whether it is done by the user or an administrator—all active sessions remain valid and operational.”
If exploited successfully, this vulnerability allows an attacker to maintain persistent access through outdated sessions even after a password has been changed. In cases where credentials have been compromised, it may also enable unrestricted, full access to the application.
The issue has been resolved in version 6.1.5, which introduces centralized session management. All active sessions are now invalidated upon password changes or user deactivation.
Security researcher Haining Meng has been credited with the discovery and responsible disclosure of the flaw.
This revelation follows closely on the heels of another critical vulnerability in the Apache Parquet Java library (CVE-2025-30065, CVSS: 10.0), which allows remote attackers to execute arbitrary code on vulnerable systems.
Just last month, another critical flaw was identified in Apache Tomcat (CVE-2025-24813, CVSS: 9.8), which was swiftly targeted in active exploitation campaigns following the release of its technical details.
