A crucial safety vulnerability has been disclosed within the Apache Curler open-source, Java-based running a blog server software program that might enable malicious actors to retain unauthorized entry even after a password change.
The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS rating of 10.0, indicating most severity. It impacts all variations of Curler as much as and together with 6.1.4.
“A session administration vulnerability exists in Apache Curler earlier than model 6.1.5 the place energetic consumer periods aren’t correctly invalidated after password modifications,” the venture maintainers stated in an advisory.
“When a consumer’s password is modified, both by the consumer themselves or by an administrator, present periods stay energetic and usable.”
Profitable exploitation of the flaw may allow an attacker to keep up continued entry to the applying via previous periods even after password modifications. It may additionally allow unfettered entry if credentials had been compromised.
The shortcoming has been addressed in model 6.1.5 by implementing centralized session administration such that each one energetic periods are invalidated when passwords are modified or customers are disabled.
Safety researcher Haining Meng has been credited with discovering and reporting the vulnerability.
The disclosure comes weeks after one other crucial vulnerability was disclosed in Apache Parquet’s Java Library (CVE-2025-30065, CVSS rating: 10.0) that, if efficiently exploited, may enable a distant attacker to execute arbitrary code on vulnerable situations.
Final month, a crucial safety flaw impacting Apache Tomcat (CVE-2025-24813, CVSS rating: 9.8) got here below energetic exploitation shortly after particulars of the bug grew to become public data.