A vital security vulnerability has been disclosed within the Apache Curler open-source, Java-based running a blog server software program that would permit malicious actors to retain unauthorized entry even after a password change.
The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS rating of 10.0, indicating most severity. It impacts all variations of Curler as much as and together with 6.1.4.
“A session administration vulnerability exists in Apache Curler earlier than model 6.1.5 the place lively person classes are usually not correctly invalidated after password adjustments,” the challenge maintainers stated in an advisory.
“When a person’s password is modified, both by the person themselves or by an administrator, current classes stay lively and usable.”
Profitable exploitation of the flaw may allow an attacker to take care of continued entry to the applying by means of previous classes even after password adjustments. It may additionally allow unfettered entry if credentials have been compromised.
The shortcoming has been addressed in model 6.1.5 by implementing centralized session administration such that every one lively classes are invalidated when passwords are modified or customers are disabled.
Safety researcher Haining Meng has been credited with discovering and reporting the vulnerability.
The disclosure comes weeks after one other vital vulnerability was disclosed in Apache Parquet’s Java Library (CVE-2025-30065, CVSS rating: 10.0) that, if efficiently exploited, may permit a distant attacker to execute arbitrary code on inclined cases.
Final month, a vital security flaw impacting Apache Tomcat (CVE-2025-24813, CVSS rating: 9.8) got here underneath lively exploitation shortly after particulars of the bug turned public information.
