Medium severity5.9NVD Advisory· Published Sep 20, 2017· Updated May 13, 2026
CVE-2016-8738
CVE-2016-8738
Description
In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | >= 2.5.0, < 2.5.13 | 2.5.13 |
Affected products
1- Apache Software Foundation/Apache Strutsv5Range: 2.5 - 2.5.5
Patches
11 file changed · +1 −1
core/src/main/java/com/opensymphony/xwork2/validator/validators/URLValidator.java+1 −1 modified@@ -55,7 +55,7 @@ public void validate(Object object) throws ValidationException { return; } - if (!(value.getClass().equals(String.class)) || !Pattern.compile(getUrlRegex(), Pattern.CASE_INSENSITIVE).matcher(String.valueOf(value)).matches()) { + if (!(value.getClass().equals(String.class)) || !Pattern.compile(getUrlRegex(), Pattern.CASE_INSENSITIVE).matcher(String.valueOf(value).trim()).matches()) { addFieldError(fieldName, object); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- struts.apache.org/docs/s2-044.htmlnvdMitigationPatchVendor AdvisoryWEB
- www.securityfocus.com/bid/94657nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-86vq-8qhc-5rqwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-8738ghsaADVISORY
- github.com/apache/struts/commit/554b9dddb0fbd1e581ef577dd62a7c22955ad0f6ghsaWEB
- security.netapp.com/advisory/ntap-20180629-0003ghsaWEB
- security.netapp.com/advisory/ntap-20180629-0003/nvd
News mentions
0No linked articles in our index yet.