Apache Struts, Apache Struts: XXE vulnerability in outdated XWork component
Description
Missing XML Validation vulnerability in Apache Struts, Apache Struts.
This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.
Users are recommended to upgrade to version 6.1.1, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Struts versions before 6.1.1 are vulnerable to XXE via the XWork component due to missing XML validation, allowing data disclosure, DoS, or SSRF.
Overview
Missing XML validation in Apache Struts' XWork component leads to an XML External Entity (XXE) vulnerability. The XWork component fails to validate XML properly, allowing external entities to be processed. This affects Struts versions 2.0.0 through 2.2.1 (exclusive) and 2.2.1 through 6.1.0 [1][3][4].
Exploitation
An attacker can exploit this by providing a crafted XML configuration file containing external entity references. The vulnerability is triggered when Struts parses XML configuration files. No authentication is required if an attacker can supply such input to the application. The attack surface includes any Struts application that processes XML configuration, potentially leading to exposure of internal files, denial of service, or server-side request forgery [4].
Impact
Successful exploitation allows an attacker to read arbitrary files from the server (data disclosure), cause a denial of service via resource exhaustion, or perform server-side request forgery, potentially to internal systems [4].
Mitigation
Users should upgrade to Struts 6.1.1, which fixes the vulnerability. For those unable to upgrade, workarounds include setting a custom SAXParserFactory via the xwork.saxParserFactory property, or configuring JVM-level properties to disable external entity processing: -Djavax.xml.accessExternalDTD="", -Djavax.xml.accessExternalSchema="", and -Djavax.xml.accessExternalStylesheet="" [4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | >= 2.0.0, <= 2.3.37 | — |
org.apache.struts:struts2-coreMaven | >= 2.5.0, <= 2.5.33 | — |
org.apache.struts:struts2-coreMaven | >= 6.0.0, < 6.1.1 | 6.1.1 |
com.opensymphony:xworkMaven | >= 2.0.0 | — |
org.apache.struts.xwork:xwork-coreMaven | >= 2.2.1 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- cwiki.apache.org/confluence/display/WW/S2-069ghsavendor-advisoryWEB
- github.com/advisories/GHSA-qcfc-hmrc-59x7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68493ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/01/11/2ghsaWEB
News mentions
0No linked articles in our index yet.