Session Management Vulnerability in Apache Roller by Apache
CVE-2025-24859

10CRITICAL

Key Information:

Vendor
Apache
Status
Apache Roller
Vendor
CVE Published:
14 April 2025

Badges

🔥 Trending now📈 Trended📈 Score: 2,440👾 Exploit Exists📰 News Worthy

What is CVE-2025-24859?

CVE-2025-24859 is a session management vulnerability found in Apache Roller, an open-source blogging and website management application. This flaw arises in versions prior to 6.1.5, where active user sessions are not appropriately terminated following a password change. This oversight could lead to unauthorized access, as attackers could exploit compromised credentials to maintain access through stale sessions. Given that Apache Roller is widely used for content management, the implications of this vulnerability could severely compromise the security of organizations relying on this software.

Technical Details

The vulnerability resides in the session management process of Apache Roller, affecting versions up to and including 6.1.4. When a user updates their password—either on their own or through an administrator—existing sessions that were initiated prior to the update remain active. This means that an attacker who has gained access to a user's credentials could potentially continue using those credentials without interruption, despite the password change.

The issue stems from a lack of centralized session management, which is resolved in version 6.1.5. The fix ensures that all active sessions are invalidated immediately upon a password change or when a user account is disabled, thus reinforcing security by eliminating the risk posed by stale sessions.

Potential impact of CVE-2025-24859

  1. Unauthorized Access: Attackers can maintain access through existing sessions even after a user's password has been changed, increasing the risk of data breaches and exploitation of sensitive information.

  2. User Credential Compromise: If an attacker compromises a user's credentials before they change their password, they can continue to operate undetected using old sessions, potentially leading to extensive unauthorized activities within the application.

  3. Increased Vulnerability to Attacks: The potential for unauthorized access makes systems more susceptible to further attacks, including the injection of malware or data manipulation, thereby undermining the integrity of the application and its data.

Affected Version(s)

Apache Roller 1.0.0 < 6.1.5

News Articles

favicon imageCyber Security Agency of Singapore

Critical Vulnerability in Apache Roller

Apache Software Foundation has released updates addressing a critical vulnerability affecting their Apache Roller. Users and administrators of the affected...

3 days ago

Max Severity Bug in Apache Roller Enabled Persistent Access

The remediated flaw gave adversaries a way to maintain access to the app through password resets.

3 days ago

favicon imageSecurity Affairs

Critical Apache Roller flaw allows to retain unauthorized access even after a password change

A critical flaw (CVE-2025-24859) in Apache Roller lets attackers keep access even after password changes. All versions ≤6.1.4 are affected

4 days ago

References

https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdv...
release-notes
https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663...
vendor-advisory

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 📈

    Vulnerability started trending

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by Cyber Press

  • Vulnerability published

  • Vulnerability Reserved

Credit

Haining Meng
.