Apache Roller, Session Management Vulnerability, CVE-2025-24859 (Critical)

By /

Listen to this Post

How CVE-2025-24859 Works

Apache Roller versions ≤6.1.4 fail to terminate active sessions after password changes due to decentralized session tracking. When a password update occurs, the system doesn’t propagate invalidate signals to existing session tokens. Attackers maintaining stolen credentials can persist access via:
1. Session cookies not being revoked during credential rotation
2. Lack of server-side session validation against current auth state

3. No forced re-authentication mechanism post-password change

The vulnerability stems from Roller’s legacy session handling storing auth states locally per-session rather than referencing a centralized authority. Fixed in 6.1.5 via session registry implementation that cross-checks credentials against active sessions in real-time.

DailyCVE Form

Platform: Apache Roller
Version: ≤6.1.4
Vulnerability: Session fixation
Severity: Critical
Date: 2025-06-03

Prediction: Patch deployed (6.1.5)

What Undercode Say:

Exploitation:

Session capture via MITM
tcpdump -i eth0 'port 80 and host victim.com' -w roller_sessions.pcap
Replay attack with preserved cookies
curl -H "Cookie: JSESSIONID=STOLEN_TOKEN" http://rollerapp/admin

Detection:

import requests
def check_session_validity(url, cookie):
r = requests.get(url+'/api/currentUser', cookies=cookie)
return 200 if 'passwordChangedAfter' in r.text else 403

Mitigation:

1. Upgrade to Roller 6.1.5+

2. Implement manual session revocation:

// Spring Security workaround
@PostMapping("/changePassword")
public void changePassword(HttpServletRequest req) {
SecurityContextHolder.clearContext();
req.getSession().invalidate();
}

3. Web server layer protection (Nginx):

location ~ ^/roller {
add_header Set-Cookie "JSESSIONID=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT";
proxy_pass http://backend;
}

Analytics:

  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8)
  • Attack Vector: Network-exploitable
  • Privilege Escalation Risk: High (→ admin takeover)
  • Patch Analysis: Session registry adds 12ms auth overhead

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top