Apache Struts Extras: Improper Output Neutralization for Logs
Description
UNSUPPORTED WHEN ASSIGNED Improper Output Neutralization for Logs vulnerability in Apache Struts.
This issue affects Apache Struts Extras: before 2.
When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Struts Extras Log Injection vulnerability allows crafted input to inject fake log lines, confusing log consumers; no fix as project is retired.
Vulnerability
Overview CVE-2025-54656 is an improper output neutralization for logs vulnerability in Apache Struts Extras, specifically when using LookupDispatchAction. The framework fails to filter untrusted input before writing it to logs, allowing specially-crafted input to inject arbitrary log content [1].
Exploitation
An attacker can send malicious requests to a Struts application using LookupDispatchAction. No authentication is required if the endpoint is exposed. The injected input can masquerade as separate log lines, potentially confusing both human analysts and automated log monitoring systems [3].
Impact
Successful exploitation leads to log injection, where the attacker can forge log entries. This can be used to hide malicious activities, mislead incident response, or cause false alerts. Since the project is retired, no fix will be released [1].
Mitigation
Users are advised to migrate away from the retired Apache Struts Extras or restrict access to trusted users. No official patch is available [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts-extrasMaven | <= 1.3.10 | — |
Affected products
2- Range: <2
- Apache Software Foundation/Apache Struts Extrasv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cx25-xg7c-xfm5ghsaADVISORY
- lists.apache.org/thread/so5cn07j2zn9vlf1xnfqp630wts719rrghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-54656ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/07/30/1ghsaWEB
News mentions
0No linked articles in our index yet.