🔐 Critical CVEs Disclosed in Apache Roller, Tomcat, and Parquet: What You Need to Know

A series of critical vulnerabilities have recently been disclosed in widely used Apache open-source projects, raising serious concerns for organizations using these technologies in production environments.

🛑 CVE-2025-24859 — Apache Roller Session Hijack Risk (CVSS 10.0)

The most severe of the newly disclosed flaws is CVE-2025-24859, a critical session management vulnerability affecting Apache Roller—a popular Java-based blogging server.

According to Apache’s advisory, versions up to and including 6.1.4 are impacted. The flaw allows user sessions to remain active even after a password change, whether initiated by the user or an administrator. This creates an opportunity for attackers to retain access to a compromised account, even if the credentials are updated.

The vulnerability has been patched in version 6.1.5, which introduces centralized session management to ensure that all active sessions are invalidated upon password changes or user deactivation.

Recommendation: All Apache Roller users should upgrade to version 6.1.5 immediately to eliminate this risk.

⚠️ CVE-2025-30065 — Apache Parquet Remote Code Execution

Just weeks earlier, a separate critical issue surfaced in the Apache Parquet Java Library: CVE-2025-30065, which also carries a CVSS score of 10.0.

If successfully exploited, this vulnerability could allow unauthenticated remote attackers to execute arbitrary code on vulnerable systems. Apache Parquet is widely used for processing large-scale data across platforms like Hadoop and Spark—making this a potentially devastating exploit vector for data-heavy environments.

🔥 CVE-2025-24813 — Apache Tomcat Under Active Exploitation

In a related wave of Apache-targeted vulnerabilities, CVE-2025-24813 was disclosed last month—this time affecting Apache Tomcat, a core web application server used globally.

With a CVSS score of 9.8, this flaw quickly drew attention from attackers and was reportedly under active exploitation shortly after being disclosed. The vulnerability allows threat actors to gain unauthorized control of affected servers, especially in cases where default or misconfigured deployments are present.

What This Means for You

If your organization relies on Apache-based components—directly or indirectly through third-party software—this is your signal to:

• Audit your stack for versions of Roller, Parquet, and Tomcat

• Patch immediately to the latest secure versions

• Review session management policies in your web applications

• Monitor for signs of compromise, especially where Tomcat or Parquet is internet-facing

  
  

Staying ahead of these vulnerabilities isn’t just about compliance—it’s about resilience and proactive defense.

Want help with vulnerability assessments, patch management, or secure configuration audits? We help organizations stay safe, secure, and ahead of the curve.