Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.
Description
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Struts 2.0.0 to 2.5.29 allow remote code execution via forced OGNL evaluation on untrusted input due to an incomplete fix for CVE-2020-17530.
Vulnerability
The vulnerability resides in Apache Struts 2 versions 2.0.0 through 2.5.29. The fix for CVE-2020-17530 (S2-061) was incomplete, leaving certain tag attributes susceptible to double evaluation when a developer uses the forced OGNL expression syntax %{...} [1][2][3]. If an attacker-controlled value is passed into such an attribute, the OGNL expression is evaluated twice, enabling remote code execution [3].
Exploitation
An attacker must be able to supply untrusted user input that reaches a Struts tag attribute where a developer has applied forced OGNL evaluation using %{...} [1][2]. No authentication is required if the affected endpoint is publicly accessible. The attacker crafts a malicious OGNL expression embedded in the user input, which is then evaluated without proper validation, leading to code execution on the server [3].
Impact
Successful exploitation results in Remote Code Execution (RCE) with the privileges of the Struts application [1][2][3]. This can lead to full compromise of the application server, including data disclosure, modification, or denial of service. The vulnerability is rated Important [3].
Mitigation
Upgrade to Apache Struts 2.5.30 or later, which includes a check to prevent double evaluation [2][3]. As a workaround, avoid using forced OGNL evaluation (%{...}) on untrusted user input in tag attributes [3]. No EOL or KEV listing is noted in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | >= 2.0.0, < 2.5.30 | 2.5.30 |
Affected products
2- Apache Software Foundation/Apache Strutsv5Range: 2.0.0 to 2.5.29
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-v8j6-6c2r-r27cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-31805ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/04/12/6ghsamailing-listx_refsource_MLISTWEB
- cwiki.apache.org/confluence/display/WW/S2-062ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220420-0001ghsaWEB
- security.netapp.com/advisory/ntap-20220420-0001/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.