CVE-2025-68493: Why This Apache Struts Vulnerability Is a Bigger Warning Sign

A new high-severity vulnerability, CVE-2025-68493, has been disclosed in Apache Struts. At a technical level, it is an XML External Entity (XXE) flaw in the XWork component that can lead to remote code execution (RCE).

At a strategic level, it reinforces a much larger and more uncomfortable reality: unsupported Struts deployments dramatically increase security risk.

‍

What Is CVE-2025-68493?

CVE-2025-68493 is an XXE vulnerability caused by missing or incomplete XML parsing safeguards in the XWork configuration parser.

Because external entities are not properly restricted, an attacker can supply malicious XML that causes the application to:

• Read arbitrary files from the server
• Perform server-side request forgery (SSRF)
• Trigger denial-of-service conditions
• In certain scenarios, escalate to remote code execution
  
  

This is not a theoretical issue. XXE flaws are a well-understood and frequently exploited class of vulnerability, especially in enterprise Java applications that rely on XML-heavy configuration and request handling.

‍

Affected Versions

Open Source Struts (OSS):

• = 2.0.0 ≤ 2.3.37
• = 2.5.0 ≤ 2.5.33
• = 6.0.0 < 6.1.1
  
  
  

NES for Apache Struts:

• = 2.5.33-struts2-2.5.34 < 2.5.33-struts2-2.5.39

Severity: High
Category: Remote Code Execution
Fix date: January 15, 2025

The vulnerability is already fixed in NES for Apache Struts.

‍

The Real Risk: Unsupported Struts in Production

This CVE matters on its own. But it matters more because of where many Struts applications actually live today.

Large numbers of production systems are still running:

• End-of-life Struts versions
• Forked or frozen builds
• Legacy apps that cannot be easily upgraded

For those environments, vulnerabilities like CVE-2025-68493 create a stark divide.

If you are on a supported path with active security maintenance, this is a patch-and-move-on event.

If you are running unsupported Struts, it is a permanent exposure.

‍

Why Unsupported Struts Is a Security Multiplier

Unsupported frameworks don’t just miss one fix. They miss every future fix.

When a vulnerability like this is discovered:

• There is no upstream patch
• There is no CVE remediation path
• Mitigations become manual, fragile, and incomplete
• Auditors see unsupported software, not best effort
  
  

Over time, these risks stack. XXE today. Something worse tomorrow.

‍

Mitigation Options

If you are affected, there are three realistic approaches.

Upgrade to a Supported Struts Version

This is the cleanest option, but often unrealistic for deeply embedded or highly customized applications.

Apply Defensive Configuration

You can reduce exposure by disabling external entities at the parser or JVM level, for example:

• Custom SAXParserFactory that blocks external entities
• JVM flags disabling external DTDs, schemas, and stylesheets
  
  

These mitigations help, but they do not replace a real patch.

Use Supported Extended Security Builds

NES for Apache Struts provides a drop-in patched version that fixes CVE-2025-68493 without requiring a framework migration. This keeps vulnerable applications protected while teams plan longer-term modernization.

‍

The Broader Lesson

CVE-2025-68493 is not an anomaly. It is the expected outcome of continued security research applied to mature frameworks.

The uncomfortable truth is this:

Unsupported software does not stop accumulating vulnerabilities just because development stops.

It simply stops receiving fixes.

If Apache Struts is still critical to your business, supportability is no longer a theoretical concern. It is a security requirement.

And vulnerabilities like this one are the proof.

‍

Frequently Asked Questions

What is CVE-2025-68493?

CVE-2025-68493 is a high-severity XML External Entity (XXE) vulnerability in the XWork component of Apache Struts. It can be exploited to read arbitrary files, perform server-side request forgery, cause denial of service, and potentially escalate to remote code execution.

‍

Which Apache Struts versions are affected by CVE-2025-68493?

The vulnerability affects multiple open-source Apache Struts versions, including:

• Struts 2 versions >=2.0.0 to 2.3.37
  
  
• Struts 2 versions >=2.5.0 to 2.5.33
  
  
• Struts 6 versions >=6.0.0 and <6.1.1
  
  

It also affects specific transitional builds prior to the patched NES releases.

‍

Is CVE-2025-68493 fixed?

Yes. CVE-2025-68493 is fixed in NES for Apache Struts, with the patch released on January 15, 2025. Open-source Struts users must upgrade to a supported version or apply compensating controls.

‍

What happens if I am running an unsupported version of Apache Struts?

If you are running an unsupported or end-of-life Struts version, this vulnerability will not be fixed upstream. Any newly discovered issues become permanent risks unless addressed through extended security support or custom mitigation.

‍

Can configuration changes fully mitigate this vulnerability?

Configuration-based mitigations, such as disabling external entities at the XML parser or JVM level, can reduce exposure. However, they do not provide the same assurance as a vendor-supported security patch and may not cover all exploit paths.

‍

What is the safest way to remediate CVE-2025-68493 without migrating off Struts?

For organizations that cannot immediately migrate, HeroDevs’ NES for Apache Struts provides drop-in, production-ready security patches for CVE-2025-68493 and other vulnerabilities, even for versions that are end of life upstream.

‍

Why do vulnerabilities keep appearing in Apache Struts?

Apache Struts continues to receive security scrutiny because it is widely deployed in enterprise environments. New vulnerabilities are discovered over time, even in mature frameworks. When a version is unsupported, those vulnerabilities remain unpatched.

‍

Is running unsupported Apache Struts a compliance risk?

Yes. Unsupported frameworks are commonly flagged during SOC 2, ISO 27001, PCI DSS, and HIPAA audits. Using a supported or extended-support version is often required to pass security and procurement reviews.

‍

Who provides ongoing security support for end-of-life Apache Struts?

HeroDevs provides Never-Ending Support (NES) for Apache Struts, delivering ongoing security fixes, including CVE remediation, for organizations that rely on Struts but cannot upgrade immediately.

‍