Critical Apache Roller Flaw Allows Unauthorized Access Even After Password Change

A critical flaw (CVE-2025-24859, CVSS 10) in Apache Roller, a popular open-source blogging server software, has been discovered that allows attackers to retain unauthorized access even after a password change. This vulnerability affects all versions of Apache Roller less than or equal to version 6.1.4.

The flaw is a session management issue that impacts the way active user sessions are handled in Apache Roller before version 6.1.5. Specifically, when a user changes their password, either manually or by an administrator, existing sessions remain active and usable. This means that if an attacker gains access to old passwords, they can continue to use those old sessions to gain unauthorized access to the application.

According to a security advisory, "A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user’s password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable." This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised.

The vulnerability was reported by researcher Haining Meng. Fortunately, version 6.1.5 of Apache Roller addressed this issue by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.

Another Critical Vulnerability Impacts Apache Parquet's Java Library

In early April, experts warned of another critical vulnerability impacting Apache Parquet’s Java Library. This library is used for reading and writing Parquet files in the Java programming language, a format optimized for use with large-scale data processing frameworks such as Apache Hadoop, Apache Spark, and Apache Drill.

The vulnerability, tracked as CVE-2025-30065 (CVSS score of 10.0), is a Deserialization of Untrusted Data issue that allows remote code execution. The advisory states that "Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code." This means that attackers can exploit this vulnerability by tampering with Parquet files imported from untrusted sources.

Versions 1.15.0 and earlier are vulnerable, with the flaw traced back to version 1.8.0. This impacts big-data frameworks and custom applications using Parquet, as well as systems that import Parquet files from untrusted sources. Users should verify their software stack for this issue and take steps to protect themselves against this critical vulnerability.

Stay informed about the latest security updates and vulnerabilities by following me on Twitter: @securityaffairs and Facebook and Mastodon.