A newly disclosed vulnerability in Apache Struts 2’s XWork component could expose sensitive data and open the door to denial‑of‑service and server‑side request forgery (SSRF) attacks if left unpatched.
The flaw, tracked as CVE-2025-68493, is rated Important and affects a wide range of Struts 2 versions, putting many Java web applications at risk.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-68493 |
| Vulnerability Type | XML External Entity (XXE) injection in XWork component |
| Impact | Disclosure of data, Denial of Service (DoS), Server Side Request Forgery (SSRF) |
The issue stems from improper validation of XML configuration parsing within the XWork component.
Because XML input is not securely handled, the component is vulnerable to XML External Entity (XXE) injection.
In practice, this means an attacker could craft malicious XML that tricks the application into processing external entities, allowing them to read local files, access internal network resources, exfiltrate sensitive data, or disrupt service availability.
All Struts 2 developers and users are urged to review their deployments. The vulnerability affects legacy and current branches, including end‑of‑life versions that are no longer maintained but are still widely used in production environments.
Applications that rely on XML configuration and are exposed to untrusted input are particularly at risk.
The Apache Struts team recommends upgrading to Struts 6.1.1 or later as the primary remediation.
The project notes that the fix is backward compatible, easing the upgrade path for most users. For organizations unable to patch immediately, temporary mitigations are available by hardening XML parsing behavior.
Administrators can deploy a custom SAXParserFactory that turns off external entities by default, or set JVM‑level system properties to block external DTDs, schemas, and stylesheets.
The vulnerability was reported by ZAST.AI, highlighting ongoing scrutiny of widely used Java frameworks.
Given Struts’ history in high‑profile security incidents, organizations are strongly advised to prioritize this flaw in their patching queues and verify that vulnerable versions are removed or adequately mitigated.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.