A critical security vulnerability was disclosed in Apache Roller Open source blog software based on Java, which can allow malicious actors to maintain unauthorized access even after a password change.
The drawback is assigned the CVE ID Cve-2025-2489It carries CVSS 10.0, which indicates the maximum burden. This affects all versions of the roller up and including 6.1.4.
‘Vulnerability of management session exists in Apache’s videos to version 6.1.5 – Note In advisory.
“If the user’s password changes either by the user or the administrator, the existing sessions remain active and convenient.”
Successful exploitation of the deficiency can allow the attacker to maintain constant access through the old sessions even after changing the password. It can also provide unobstructed access if the credentials have been broken.
The deficiency was considered in the version 6.1.5, introducing centralized sessions, so that all active sessions will be recognized as invalid when changing passwords or disabled users.
The Haining Meng security researcher attributes the detection and report on vulnerability.
Disclosure takes place a few weeks after another critical vulnerability was revealed in the Java Apache Parquet Library (Cve-2025-30065.
Last month, a critical Lack of security influence on Apache Tomcat (Cve-2025-24813.
