Pierluigi Paganini April 15, 2025

A critical flaw (CVE-2025-24859, CVSS 10) in Apache Roller lets attackers keep access even after password changes. All versions ≤6.1.4 are affected.

A critical vulnerability, tracked as CVE-2025-24859 (CVSS score of 10.0), affects the Apache Roller open-source, Java-based blogging server software.

The flaw is a session management issue that impacts in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. An attacker could exploit the flaw to retain unauthorized access even after a password change. The flaw lets attackers keep access via old sessions even after a password change if credentials were compromised.

“A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user’s password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable.” reads the advisory “This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised.”

This vulnerability impacts Apache Roller versions up to and including 6.1.4., version 6.1.5 addressed the flaw by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.

The researcher Haining Meng reported the vulnerability.

In early April, experts warned of another critical vulnerability impacting Apache Parquet’s Java Library. Apache Parquet’s Java Library is a software library for reading and writing Parquet files in the Java programming language. Parquet is a columnar storage file format that is optimized for use with large-scale data processing frameworks, such as Apache Hadoop, Apache Spark, and Apache Drill.

The vulnerability, tracked as CVE-2025-30065 (CVSS score of 10.0), could allow remote code execution

“Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code” reads the advisory.

The vulnerability CVE-2025-30065 is a Deserialization of Untrusted Data issue. The flaw affects systems importing Parquet files, especially from untrusted sources, and can be exploited by attackers tampering with the files. Versions 1.15.0 and earlier are vulnerable, with the flaw traced back to version 1.8.0. This impacts big-data frameworks (e.g., Hadoop, Spark, Flink) and custom applications using Parquet. Users should verify their software stack for this issue.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apache)