VYPR
← All advisories
High severityNVD Advisory· Published Mar 27, 2018· Updated Sep 16, 2024

CVE-2018-1327

CVE-2018-1327

Description

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Struts REST Plugin with XStream is vulnerable to DoS attacks via crafted XML payloads; upgrade to 2.5.16 with Jackson handler.

Vulnerability

The Apache Struts REST Plugin uses the XStream library to handle XML deserialization. XStream is vulnerable to a denial-of-service (DoS) attack when processing a malicious request containing a specially crafted XML payload [1]. Affected versions include all Apache Struts 2.x releases up to 2.5.14.1, covering versions 2.3.5 through 2.5.14.1, and earlier branches [4]. The vulnerability exists because XStream does not properly limit resource consumption during deserialization, allowing an attacker to cause excessive CPU and memory usage.

Exploitation

An attacker can exploit this vulnerability remotely by sending a crafted HTTP request (typically POST) with an XML body to any endpoint of a Struts application that uses the default REST plugin's XStream handler. No authentication is required, and user interaction is not needed [1][4]. The attacker's malicious XML payload triggers a deep or recursive parsing within XStream that exhausts system resources. While specific exploit code details are not publicly disclosed in the available references, the nature of the attack resembles a "billion laughs" or XML bomb variant.

Impact

Successful exploitation leads to a denial-of-service (DoS) condition: the target server becomes unresponsive or crashes due to high CPU consumption and memory exhaustion. Availability is the primary impacted attribute; confidentiality and integrity are not directly affected. The attacker gains no code execution or data access, but service disruption can result in business impact.

Mitigation

Apache has released a fix in version 2.5.16 of the Struts framework. Users must upgrade to at least Struts 2.5.16 and switch from the default XStream XML handler to the optionally provided Jackson XML handler for the REST plugin [1][3]. Instructions are available in the official Struts REST plugin documentation (http://struts.apache.org/plugins/rest/#custom-contenttypehandlers). If upgrading immediately is not possible, a custom XML handler based on the Jackson handler from 2.5.16 can be implemented [1]. There is no workaround for the vulnerable XStream handler itself; disabling the REST plugin's XML-based content type handling would prevent exploitation.

References
  1. NVD - CVE-2018-1327
  2. Defines a new handler using Jackson XML · apache/struts@67ecf3a
  3. Apache Struts CVE-2018-1327 Denial of Service Vulnerability

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.struts:struts2-rest-pluginMaven
>= 2.1.1, < 2.5.162.5.16

Affected products

4

Patches

3
9260720568ce

Adds test to cover basic functionality

https://github.com/apache/strutsLukasz LenartFeb 20, 2018via ghsa
commit
2 files changed · +139 0
  • plugins/rest/src/test/java/org/apache/struts2/rest/handler/JacksonXmlHandlerTest.java+87 0 added
    @@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.rest.handler;
+
+import com.opensymphony.xwork2.ActionInvocation;
+import com.opensymphony.xwork2.XWorkTestCase;
+import com.opensymphony.xwork2.mock.MockActionInvocation;
+
+import java.io.Reader;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.io.Writer;
+import java.util.Arrays;
+
+import static org.fest.assertions.Assertions.assertThat;
+
+public class JacksonXmlHandlerTest extends XWorkTestCase {
+
+    private String xml;
+    private JacksonXmlHandler handler;
+    private ActionInvocation ai;
+
+    public void setUp() throws Exception {
+        super.setUp();
+        xml = "<SimpleBean>" +
+                "<name>Jan</name>" +
+                "<age>12</age>" +
+                "<parents>" +
+                "<parents>Adam</parents>" +
+                "<parents>Ewa</parents>" +
+                "</parents>" +
+                "</SimpleBean>";
+        handler = new JacksonXmlHandler();
+        ai = new MockActionInvocation();
+    }
+
+    public void testObjectToXml() throws Exception {
+        // given
+        SimpleBean obj = new SimpleBean();
+        obj.setName("Jan");
+        obj.setAge(12L);
+        obj.setParents(Arrays.asList("Adam", "Ewa"));
+
+        // when
+        Writer stream = new StringWriter();
+        handler.fromObject(ai, obj, null, stream);
+
+        // then
+        stream.flush();
+        assertEquals(xml, stream.toString());
+    }
+
+    public void testXmlToObject() throws Exception {
+        // given
+        SimpleBean obj = new SimpleBean();
+
+        // when
+        Reader in = new StringReader(xml);
+        handler.toObject(ai, in, obj);
+
+        // then
+        assertNotNull(obj);
+        assertEquals(obj.getName(), "Jan");
+        assertEquals(obj.getAge().longValue(), 12L);
+        assertNotNull(obj.getParents());
+        assertThat(obj.getParents())
+                .hasSize(2)
+                .containsExactly("Adam", "Ewa");
+    }
+
+}
\ No newline at end of file
  • plugins/rest/src/test/java/org/apache/struts2/rest/handler/SimpleBean.java+52 0 added
    @@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.rest.handler;
+
+import java.util.List;
+
+public class SimpleBean {
+
+    private String name;
+    private Long age;
+    private List<String> parents;
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public Long getAge() {
+        return age;
+    }
+
+    public void setAge(Long age) {
+        this.age = age;
+    }
+
+    public List<String> getParents() {
+        return parents;
+    }
+
+    public void setParents(List<String> parents) {
+        this.parents = parents;
+    }
+}
67ecf3a21608

Defines a new handler using Jackson XML

https://github.com/apache/strutsLukasz LenartFeb 20, 2018via ghsa
commit
2 files changed · +72 0
  • plugins/rest/pom.xml+11 0 modified
    @@ -55,6 +55,11 @@
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.dataformat</groupId>
+            <artifactId>jackson-dataformat-xml</artifactId>
+            <optional>true</optional>
+        </dependency>
 
         <dependency>
             <groupId>mockobjects</groupId>
@@ -80,6 +85,12 @@
             <optional>true</optional>
         </dependency>
 
+        <dependency>
+            <groupId>org.easytesting</groupId>
+            <artifactId>fest-assert</artifactId>
+            <scope>test</scope>
+        </dependency>
+
         <!-- The Servlet API mocks in Spring Framework 4.x only supports Servlet 3.0 and higher.
            This is only necessary in tests-->
         <dependency>
  • plugins/rest/src/main/java/org/apache/struts2/rest/handler/JacksonXmlHandler.java+61 0 added
    @@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.struts2.rest.handler;
+
+import com.fasterxml.jackson.databind.ObjectReader;
+import com.fasterxml.jackson.dataformat.xml.XmlMapper;
+import com.opensymphony.xwork2.ActionInvocation;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.io.IOException;
+import java.io.Reader;
+import java.io.Writer;
+
+/**
+ * Handles XML content using Jackson
+ */
+public class JacksonXmlHandler extends AbstractContentTypeHandler {
+
+    private static final Logger LOG = LogManager.getLogger(JacksonXmlHandler.class);
+
+    private static final String DEFAULT_CONTENT_TYPE = "application/xml";
+    private XmlMapper mapper = new XmlMapper();
+
+    public void toObject(ActionInvocation invocation, Reader in, Object target) throws IOException {
+        LOG.debug("Converting input into an object of: {}", target.getClass().getName());
+        ObjectReader or = mapper.readerForUpdating(target);
+        or.readValue(in);
+    }
+
+    public String fromObject(ActionInvocation invocation, Object obj, String resultCode, Writer stream) throws IOException {
+        LOG.debug("Converting an object of {} into string", obj.getClass().getName());
+        mapper.writeValue(stream, obj);
+        return null;
+    }
+
+    public String getContentType() {
+        return DEFAULT_CONTENT_TYPE;
+    }
+
+    public String getExtension() {
+        return "xml";
+    }
+
+}
4260bee634cb

Adds Jackson XML binding dependency

https://github.com/apache/strutsLukasz LenartFeb 20, 2018via ghsa
commit
1 file changed · +7 2
  • pom.xml+7 2 modified
    @@ -103,7 +103,7 @@
         <tiles.version>3.0.7</tiles.version>
         <tiles-request.version>1.0.6</tiles-request.version>
         <log4j2.version>2.10.0</log4j2.version>
-        <jackson.version>2.9.2</jackson.version>
+        <jackson.version>2.9.4</jackson.version>
 
         <!-- Site generation -->
         <fluido-skin.version>1.6</fluido-skin.version>
@@ -1064,7 +1064,12 @@
                 <artifactId>jackson-databind</artifactId>
                 <version>${jackson.version}</version>
             </dependency>
-
+            <dependency>
+                <groupId>com.fasterxml.jackson.dataformat</groupId>
+                <artifactId>jackson-dataformat-xml</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            
             <!-- CDI & Weld -->
             <dependency>
                 <groupId>javax.enterprise</groupId>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

17

News mentions

0

No linked articles in our index yet.