A vital safety vulnerability has been disclosed within the Apache Curler open-source, Java-based running a blog server software program that might enable malicious actors to retain unauthorized entry even after a password change.
The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS rating of 10.0, indicating most severity. It impacts all variations of Curler as much as and together with 6.1.4.
“A session administration vulnerability exists in Apache Curler earlier than model 6.1.5 the place lively consumer classes will not be correctly invalidated after password adjustments,” the venture maintainers stated in an advisory.
“When a consumer’s password is modified, both by the consumer themselves or by an administrator, current classes stay lively and usable.”
Profitable exploitation of the flaw may allow an attacker to take care of continued entry to the applying by outdated classes even after password adjustments. It may additionally allow unfettered entry if credentials had been compromised.
The shortcoming has been addressed in model 6.1.5 by implementing centralized session administration such that each one lively classes are invalidated when passwords are modified or customers are disabled.
Safety researcher Haining Meng has been credited with discovering and reporting the vulnerability.
The disclosure comes weeks after one other vital vulnerability was disclosed in Apache Parquet’s Java Library (CVE-2025-30065, CVSS rating: 10.0) that, if efficiently exploited, may enable a distant attacker to execute arbitrary code on vulnerable situations.
Final month, a vital safety flaw impacting Apache Tomcat (CVE-2025-24813, CVSS rating: 9.8) got here below lively exploitation shortly after particulars of the bug turned public data.
