Login Sign Up

CVE-2025-68493

8.1 HIGH

📋 TL;DR

This CVE describes a Missing XML Validation vulnerability in Apache Struts that allows attackers to inject malicious XML content. It affects Apache Struts versions from 2.0.0 through 6.1.0, potentially impacting web applications built with these frameworks. Successful exploitation could lead to various attacks depending on how XML parsing is implemented.

💻 Affected Systems

Products:
  • Apache Struts
Versions: From 2.0.0 before 2.2.1; from 2.2.1 through 6.1.0
Operating Systems: All operating systems running Apache Struts
Default Config Vulnerable: ⚠️ Yes
Notes: All Apache Struts installations within affected version ranges are vulnerable by default

📦 What is this software?

Struts by Apache

View all CVEs affecting Struts →

Struts by Apache

View all CVEs affecting Struts →

Struts by Apache

View all CVEs affecting Struts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution, complete system compromise, or data exfiltration through XML injection attacks

🟠

Likely Case

XML injection leading to denial of service, data manipulation, or information disclosure

🟢

If Mitigated

Limited impact with proper input validation and XML parsing safeguards in place

🌐 Internet-Facing: HIGH - Apache Struts is commonly used for internet-facing web applications
🏢 Internal Only: MEDIUM - Internal applications still vulnerable but attack surface reduced

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires understanding of XML parsing in target application and may vary based on implementation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.1

Vendor Advisory: https://cwiki.apache.org/confluence/display/WW/S2-069

Restart Required: Yes

Instructions:

1. Download Apache Struts 6.1.1 from official Apache website. 2. Replace existing Struts libraries with new version. 3. Restart application server. 4. Test application functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict XML input validation to reject malformed or suspicious XML content

Implement custom servlet filter or Struts interceptor to validate XML inputs

XML Parser Hardening

all

Configure XML parsers to disable dangerous features like external entity expansion

Set XML parser properties: setFeature("http://xml.org/sax/features/external-general-entities", false); setFeature("http://xml.org/sax/features/external-parameter-entities", false);

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XML injection patterns
  • Isolate vulnerable systems behind network segmentation and restrict access

🔍 How to Verify

Check if Vulnerable:

Check Struts version in application's WEB-INF/lib directory for struts2-core JAR file version

Check Version:

java -jar struts2-core-*.jar --version or check MANIFEST.MF in JAR file

Verify Fix Applied:

Verify struts2-core JAR file version is 6.1.1 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors
  • Large XML payloads in requests
  • XML external entity references in logs

Network Indicators:

  • HTTP requests with XML content to Struts endpoints
  • Unusual XML structure in POST requests

SIEM Query:

source="web_server" AND (uri="*.action" OR uri="*.do") AND content_type="application/xml" AND size>10000

📊 Metadata

CVE ID: CVE-2025-68493
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
CWE: CWE-112
EPSS Score: 0.14% exploit probability (34.3th percentile)
Published: January 11, 2026
Last Updated: January 16, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON