CVE-2025-24859 – Apache Roller versions up to 6.1.4 have a sessi... (How to Fix)

Q: What is the severity of CVE-2025-24859?

CVE-2025-24859 has a CVSS score of 8.8 (HIGH). Apache Roller versions up to 6.1.4 have a session management vulnerability where active user sessions remain valid after password changes. This allows attackers who have compromised credentials to maintain access even after passwords are changed. All Apache Roller deployments using affected versions are vulnerable.

📋 TL;DR

Apache Roller versions up to 6.1.4 have a session management vulnerability where active user sessions remain valid after password changes. This allows attackers who have compromised credentials to maintain access even after passwords are changed. All Apache Roller deployments using affected versions are vulnerable.

💻 Affected Systems

Products:

Apache Roller

Versions: All versions before 6.1.5

Operating Systems: All operating systems running Apache Roller

Default Config Vulnerable: ⚠️ Yes

Notes: All Apache Roller deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Roller by Apache

View all CVEs affecting Roller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers maintain persistent access to compromised accounts even after password changes, potentially accessing sensitive data, performing unauthorized actions, or escalating privileges.

🟠

Likely Case

Credential theft leads to persistent unauthorized access until sessions naturally expire, allowing data exfiltration or manipulation.

🟢

If Mitigated

With proper monitoring and session timeout policies, impact is limited to the session duration window after password change.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exposed to credential stuffing and session hijacking attacks.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires stolen credentials but is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.5

Vendor Advisory: https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f

Restart Required: Yes

Instructions:

1. Download Apache Roller 6.1.5 from official Apache repository. 2. Backup current installation and data. 3. Deploy new version following Apache Roller upgrade documentation. 4. Restart application server.

🔧 Temporary Workarounds

Manual Session Invalidation

all

Manually invalidate all active sessions after password changes by clearing session storage or restarting application server.

Restart application server (e.g., 'systemctl restart tomcat')

Reduce Session Timeout

all

Configure shorter session timeout values to limit exposure window.

Modify session-timeout in web.xml or application configuration

🧯 If You Can't Patch

Implement external session management that invalidates sessions on password change events
Deploy WAF rules to detect and block suspicious session activity patterns

🔍 How to Verify

Check if Vulnerable:

Check Apache Roller version in admin interface or by examining application files. Versions 6.1.4 and earlier are vulnerable.

Check Version:

Check WEB-INF/classes/roller.properties or admin interface for version information

Verify Fix Applied:

After upgrading to 6.1.5, test by changing a user password and verifying existing sessions are invalidated.

📡 Detection & Monitoring

Log Indicators:

Multiple successful logins from same user from different locations/times
User activity continuing after password change events

Network Indicators:

Sustained session activity patterns inconsistent with normal user behavior

SIEM Query:

source="roller.log" AND (event="password_change" OR event="login") | stats count by user, session_id | where count > threshold

📊 Metadata

CVE ID: CVE-2025-24859

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-613

EPSS Score: 0.15% exploit probability (35.4th percentile)

Published: April 14, 2025

Last Updated: June 3, 2025

🔗 References

https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f Release Notes
https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/04/11/1 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24859, you might also want to check these: