By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-68493

Remote Code Execution
Affects
Apache Struts
in
Struts
No items found.
Versions
>=2.0.0 <=2.3.37, >=2.5.0 <=2.5.33, >=6.0.0 <6.1.1,
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A XML External Entity, XXE, vulnerability (CVE-2025-68493) has been identified in Apache Struts. This issue arises from missing parsing configuration, which can lead to remote code execution.

Per OWASP, an XML External Entity (XXE) attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

This issue affects multiple versions of Apache Struts.

Details

Module Info

  • Product: Apache Struts 2
  • Affected packages: struts2-core
  • OSS Affected versions: >=2.0.0 <=2.3.37, >=2.5.0 <=2.5.33, >=6.0.0 <6.1.1
  • NES Affected versions: >=2.5.33-struts2-2.5.34 <2.5.33-struts2-2.5.39
  • GitHub repository: https://github.com/apache/struts
  • Package manager: Maven
  • Fixed in: NES for Apache Struts Struts 2 v2.5.39

Vulnerability Info

The XWork component’s XML configuration parser does not properly validate XML input, allowing external entities to be processed. This weakness can be exploited through XML External Entity (XXE) injection, potentially enabling attackers to read arbitrary files, perform server-side request forgery (SSRF), or cause denial-of-service conditions by supplying malicious XML content.

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Upgrade to patched Apache Struts 2
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
  • Use a custom SAXParserFactory: set xwork.saxParserFactory=  to a custom factory class that disables external entities by default.
  • Define JVM-level configuration: configure the JVM's default XML parser to disable external entities via system properties (set to empty string to block all protocols):

-Djavax.xml.accessExternalDTD=""
-Djavax.xml.accessExternalSchema=""
-Djavax.xml.accessExternalStylesheet=""

Credit

  • ZAST.AI - https://zast.ai

Pink arrow
Pink arrow
CVE-2014-0094
CVE-2016-3081
CVE-2017-5638
CVE-2018-11776
CVE-2012-1007
CVE-2015-0899
CVE-2016-1181
CVE-2016-1182
CVE-2014-0114
CVE-2024-53677
CVE-2006-1546
CVE-2006-1547
CVE-2006-1548
CVE-2008-2025
CVE-2023-34396
CVE-2023-49735
CVE-2005-3745
CVE-2025-48976
CVE-2025-48734
CVE-2025-54656
CVE-2025-64775
CVE-2025-66675
CVE-2025-68493
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-68493
PROJECT Affected
Apache Struts
Versions Affected
>=2.0.0 <=2.3.37, >=2.5.0 <=2.5.33, >=6.0.0 <6.1.1,
Published date
January 16, 2026
≈ Fix date
January 15, 2026
Fixed in
NES for Apache Struts
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Remote Code Execution
Sign up for the latest vulnerability alerts fixed in
NES for Apache Struts
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.