A essential XML exterior entity (XXE) injection vulnerability has been found in Apache Struts 2, probably exposing hundreds of thousands of functions to information theft and server compromise.
The vulnerability, tracked as CVE-2025-68493, impacts a number of variations of the broadly used framework and requires rapid motion from builders and system directors.
Vulnerability Overview
The safety flaw exists within the XWork element of Apache Struts 2, which handles XML configuration parsing.
The element fails to correctly validate XML enter, leaving functions weak to XXE injection assaults.
CVE IDVulnerability TypeAffected ComponentAffected VersionsCVE-2025-68493XML Exterior Entity (XXE) InjectionXWork ComponentStruts 2.0.0–2.3.37,2.5.0–2.5.33,6.0.0–6.1.0
Risk actors can exploit this weak spot to entry delicate data saved on affected servers or launch denial-of-service assaults.
Safety researchers at ZAST.AI recognized the vulnerability and reported it to the Apache Struts group.
The vulnerability acquired an “Vital” safety score as a consequence of its potential influence on information confidentiality and system availability.
The vulnerability impacts a broad vary of Struts 2 variations at the moment in use throughout organizations worldwide:
Affected Model RangeStatusStruts 2.0.0 – 2.3.37End-of-LifeStruts 2.5.0 – 2.5.33End-of-LifeStruts 6.0.0 – 6.1.0Active Assist
Organizations working any of those variations ought to prioritize safety updates instantly.
Profitable exploitation of CVE-2025-68493 might lead to:
Affect TypeDescriptionData DisclosureAttackers can extract delicate configuration recordsdata, database credentials, and utility secretsServer-Facet Request Forgery (SSRF)Inner community assets and methods will be compromisedDenial of Service (DoS)Software availability will be disrupted utilizing malicious XML payloads
Apache has launched Struts 6.1.1 because the fastened model. Organizations ought to improve to this launch instantly.
The patch maintains backward compatibility, guaranteeing clean deployment with out breaking current functions.
Organizations unable to improve instantly can implement momentary workarounds:
Mitigation ApproachDescriptionCustom SAXParserFactoryConfigure a customized SAXParserFactory by setting xwork.saxParserFactory to a manufacturing unit class that disables exterior entitiesJVM-Degree ConfigurationDisable exterior entities globally utilizing JVM system properties:-Djavax.xml.accessExternalDTD=””-Djavax.xml.accessExternalSchema=””-Djavax.xml.accessExternalStylesheet=””
These workarounds present momentary safety whereas organizations plan improve timelines. CVE-2025-68493 represents a critical menace to Struts 2 deployments worldwide.
Rapid patching must be the highest precedence for safety groups, adopted by verifying that workarounds are in place for methods that can’t be upgraded instantly.
Organizations ought to evaluate their Struts 2 stock and develop an expedited patching schedule to remove publicity to this essential vulnerability.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
