Critical session management vulnerability reported in Apache Roller
Take action: If you are running Apache Roller, plan a quick update. The flaw may not sound too terrible since most password reset actions are by users who have forgotten their password. But in an edge case where a user account is compromised and you need to kick the attacker out by resetting password, this flaw makes you powerless. So keep your system (and your nerves) healthy - patch it.
Learn More
A critical security vulnerability has been identified in Apache Roller, the open-source Java-based blogging server software. This severe flaw could enable malicious actors to maintain unauthorized access to affected systems even after password changes occur.
The vulnerability is tracked as CVE-2025-24859 (CVSS score 10.0) - a session management vulnerability in Apache Roller before version 6.1.5, where the system fails to properly invalidate active user sessions when passwords are changed. When a user's password is modified - whether by the user themselves or by an administrator - existing sessions remain active and usable.
If an attacker gains initial access to a user's credentials and the user or administrator changes the password in response to suspected compromise, the attacker can continue accessing the application through previously established sessions. This effectively renders the password change ineffective as a security measure.
Affected versions are Apache Roller 1.0.0 through 6.1.4
The vulnerability has been fixed in Apache Roller 6.1.5 through the implementation of centralized session management. This enhanced mechanism properly invalidates all active sessions when:
- User passwords are changed
- User accounts are disabled
Users are strongly encouraged to upgrade to version 6.1.5 immediately.
