April 15, 2025 By Pierluigi Paganini
A critical flaw (CVE-2025-24859, CVSS 10) in Apache Roller lets attackers keep access even after password changes. All versions ≤6.1.4 are affected.
A critical vulnerability, tracked as CVE-2025-24859 (CVSS score of 10.0), affects the Apache Roller open-source, Java-based blogging server software.
The flaw is a session management issue that impacts in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. An attacker could exploit the flaw to retain unauthorized access even after a password change. The flaw lets attackers keep access via old sessions even after a password change if credentials were compromised.
