Do Son 
A new flaw has appeared in the foundation of one of the web’s most popular Java frameworks. Security researchers at ZAST.AI have uncovered an “Important” severity vulnerability in Apache Struts 2, warning that the flaw could allow attackers to steal sensitive data or launch crippling Denial-of-Service attacks against enterprise applications.
The vulnerability, tracked as CVE-2025-68493, targets the XWork component, the command-pattern framework that powers Struts. The issue stems from improper handling of XML configurations, leaving systems wide open to XML External Entity (XXE) injection.
At its core, the vulnerability is a failure of validation. The report states that the “parsing of XML configuration in XWork component does not validate XML in proper way,” creating a pathway for attackers to inject malicious external entities.
When an application processes a tainted XML file, it can be tricked into fetching external resources. The potential impact is a trifecta of security headaches: “Disclosure of Data, Denial of Service, Server Side Request Forgery”.
This means an attacker could potentially force a server to reveal local files, shut down due to resource exhaustion, or make unauthorized requests to internal systems hidden behind the firewall.
The blast radius for this bug is significant, affecting a long lineage of Struts versions, including those already End-of-Life (EOL). The affected software list includes:
- Struts 2.0.0 through 2.3.37 (EOL)
- Struts 2.5.0 through 2.5.33 (EOL)
- Struts 6.0.0 through 6.1.0
The Apache Struts team advises organizations to “Upgrade to Struts 6.1.1 at least” to permanently close the security gap. Fortunately, the report notes that “this change is backward compatible,” meaning the upgrade shouldn’t break existing applications.
For teams stuck on older versions who cannot upgrade immediately, there is a lifeline. Workarounds include using a custom SAXParserFactory that disables external entities or defining JVM-level configurations to block external DTD and Schema access via system properties like -Djavax.xml.accessExternalDTD=””.
Related Posts:
- CVE-2023-50164: Apache Struts Remote Code Execution Vulnerability
- CVE-2025-64775: Apache Struts “File Leak” Vulnerability Threatens Disk Exhaustion
- Apache Struts 2 DoS Flaw (CVE-2025-66675) Risks Server Crash via File Leak in Multipart Request Processing
- Patch Now! PoC for Apache Struts 2 RCE (CVE-2023-50164) Flaw Released
- Apache Struts (CVE-2023-50164) RCE Vulnerability Affects some Cisco Products
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
