A critical XML external entity (XXE) injection vulnerability has been discovered in Apache Struts 2, potentially exposing millions of applications to data theft and server compromise.
The vulnerability, tracked as CVE-2025-68493, affects multiple versions of the widely used framework and requires immediate action from developers and system administrators.
Vulnerability Overview
The security flaw exists in the XWork component of Apache Struts 2, which handles XML configuration parsing.
The component fails to properly validate XML input, leaving applications vulnerable to XXE injection attacks.
| CVE ID | Vulnerability Type | Affected Component | Affected Versions |
|---|---|---|---|
| CVE-2025-68493 | XML External Entity (XXE) Injection | XWork Component | Struts 2.0.0–2.3.37,2.5.0–2.5.33,6.0.0–6.1.0 |
Threat actors can exploit this weakness to access sensitive information stored on affected servers or launch denial-of-service attacks.
Security researchers at ZAST.AI identified the vulnerability and reported it to the Apache Struts team.
The vulnerability received an “Important” security rating due to its potential impact on data confidentiality and system availability.
The vulnerability impacts a broad range of Struts 2 versions currently in use across organizations worldwide:
| Affected Version Range | Status |
|---|---|
| Struts 2.0.0 – 2.3.37 | End-of-Life |
| Struts 2.5.0 – 2.5.33 | End-of-Life |
| Struts 6.0.0 – 6.1.0 | Active Support |
Organizations running any of these versions should prioritize security updates immediately.
Successful exploitation of CVE-2025-68493 could result in:
| Impact Type | Description |
|---|---|
| Data Disclosure | Attackers can extract sensitive configuration files, database credentials, and application secrets |
| Server-Side Request Forgery (SSRF) | Internal network resources and systems can be compromised |
| Denial of Service (DoS) | Application availability can be disrupted using malicious XML payloads |
Apache has released Struts 6.1.1 as the fixed version. Organizations should upgrade to this release immediately.
The patch maintains backward compatibility, ensuring smooth deployment without breaking existing applications.
Organizations unable to upgrade immediately can implement temporary workarounds:
| Mitigation Approach | Description |
|---|---|
| Custom SAXParserFactory | Configure a custom SAXParserFactory by setting xwork.saxParserFactory to a factory class that disables external entities |
| JVM-Level Configuration | Disable external entities globally using JVM system properties:-Djavax.xml.accessExternalDTD=""-Djavax.xml.accessExternalSchema=""-Djavax.xml.accessExternalStylesheet="" |
These workarounds provide temporary protection while organizations plan upgrade timelines. CVE-2025-68493 represents a serious threat to Struts 2 deployments worldwide.
Immediate patching should be the top priority for security teams, followed by verifying that workarounds are in place for systems that cannot be upgraded immediately.
Organizations should review their Struts 2 inventory and develop an expedited patching schedule to eliminate exposure to this critical vulnerability.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
