CVE-2025-24859HIGH 8.8EPSS p60.1%

CVE-2025-24859CVE-2025-24859

Description

A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an administrator, existing sessions remain active and usable. This allows continued access to the application through old sessions even after password changes, potentially enabling unauthorized access if credentials were compromised. This issue affects Apache Roller versions up to and including 6.1.4. The vulnerability is fixed in Apache Roller 6.1.5 by implementing centralized session management that properly invalidates all active sessions when passwords are changed or users are disabled.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS1.06% probability of exploitation · percentile 60.1% · 2026-06-18T12:00:27Z
Published2025-04-14
Last modified2025-06-03

Underlying weaknesses· 1

CWE-613

References

  1. https://lists.apache.org/thread/4j906k16v21kdx8hk87gl7663sw7lg7f
  2. https://lists.apache.org/thread/vxv52vdr8nhtjlj6v02w43fdvo0cxw23
  3. http://www.openwall.com/lists/oss-security/2025/04/11/1

1

TypeTargetConfidenceTier
WeaknessInsufficient Session Expirationcwe-6130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-66289
CVE
CVE-2025-59786
CVE
CVE-2025-54761
CVE
CVE-2026-1435
CVE
CVE-2025-41429
CVE
CVE-2026-45434
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.