A essential safety vulnerability has been disclosed within the Apache Roller open-source, Java-based running a blog server software program that would permit malicious actors to retain unauthorized entry even after a password change.
The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS rating of 10.0, indicating most severity. It impacts all variations of Curler as much as and together with 6.1.4.
“A session administration vulnerability exists in Apache Curler earlier than model 6.1.5 the place lively consumer classes usually are not correctly invalidated after password modifications,” the venture maintainers said in an advisory.
“When a consumer’s password is modified, both by the consumer themselves or by an administrator, current classes stay lively and usable.”
Profitable exploitation of the flaw might allow an attacker to take care of continued entry to the applying by means of previous classes even after password modifications. It might additionally allow unfettered entry if credentials had been compromised.
The shortcoming has been addressed in model 6.1.5 by implementing centralized session administration such that every one lively classes are invalidated when passwords are modified or customers are disabled.
Safety researcher Haining Meng has been credited with discovering and reporting the vulnerability.
The disclosure comes weeks after one other essential vulnerability was disclosed in Apache Parquet’s Java Library (CVE-2025-30065, CVSS rating: 10.0) that, if efficiently exploited, might permit a distant attacker to execute arbitrary code on inclined situations.
Final month, a critical security flaw impacting Apache Tomcat (CVE-2025-24813, CVSS rating: 9.8) got here underneath lively exploitation shortly after particulars of the bug grew to become public data.
Source link