HeroDevs
Visit NES for Apache Struts Home Page

Apache Struts Release Notes

22 versions

Apache Struts is an open-source Java framework for building web applications using the Model-View-Controller (MVC) architecture.

Jan 15, 2026
Latest: 2.5.39
73 Patched CVEs

January 2026

2.5.39

Released on Jan 15, 2026
CVE-2025-68493
Full Version: 
2.5.33-struts2-2.5.39

Bug Fixes

This release patches the following:

  • Apache Struts 2 is Missing XML Validation (CVE-2025-68493)
    • org.apache.struts:struts2-core:2.5.33-struts2-2.5.39

December 2025

2.5.38

Released on Dec 4, 2025
CVE-2025-64775
CVE-2025-66675
CVE-2023-24998
CVE-2025-48976
CVE-2021-29425
2 More
Full Version: 
2.5.33-struts2-2.5.38

Bug Fixes

This release patches the following:

Dependency Upgrades

  • commons-fileupload:commons-fileupload 1.4 -> 1.6.0
    • CVE-2023-24998 FileUpload denial of service vulnerability
      • Added configuration: struts.multipart.maxFiles (default 256) - The maximum number of files allowed in a multipart request
      • Added configuration: struts.multipart.maxFileSize (default 2097152) - The maximum size per file in a multipart request
    • CVE-2025-48976 FileUpload DoS via part headers
      • Added configuration: struts.multipart.partHeaderSizeMax (default 512) - The maximum size of headers per part in a multipart request in bytes
  • commons-io:commons-io 2.6 -> 2.19.0
    • CVE-2021-29425 Path Traversal and Improper Input Validation in Apache Commons IO
    • CVE-2024-47554 Possible denial of service attack on untrusted input to XmlStreamReader
  • commons-beanutils:commons-beanutils 1.9.4 -> 1.11.0

November 2025

1.3.17

Released on Nov 20, 2025
Full Version: 
1.3.10-struts-1.3.17

Notes

  • struts-tiles removed its dependency on commons-io, as it is no longer required.
  • struts-core now uses a more efficient implementation for its security-related regular expression.

1.2.10-trial

Released on Nov 15, 2025
Full Version: 
1.2.9-struts-1.2.10-trial

Notes

  • This release originates from the open‑source Struts project forked by HeroDevs.
  • This release contains no functional changes from Struts version 1.2.

1.2.10

Released on Nov 15, 2025
CVE-2008-2025
CVE-2014-0114
CVE-2015-0899
CVE-2016-1181
CVE-2016-1182
19 More
Full Version: 
1.2.9-struts-1.2.10

Bug Fixes

This release patches the following:

  • CVE-2008-2025: Possible XSS
    • This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values.
    • A patch was applied to escape untrusted user inputs using double quotes if not already escaped.
  • CVE-2014-0114: Class Loader manipulation
  • CVE-2015-0899: MultiPageValidator bypass
  • CVE-2016-1181: Multithreaded access to an ActionForm multipart access
  • CVE-2016-1182: Access to Validator configuration
  • CVE-2023-34396: Struts upload memory exhaustion
    • struts-config controller tag supports maxStringLen with default of 4K
  • CVE-2023-49735: Tiles: Unvalidated input may lead to SSRF/XXE
  • CVE-2025-54656: Improper Output Neutralization for Logs Vulnerability

Dependency Upgrades

Notes

  • This release originates from the open‑source Struts project forked by HeroDevs.
  • groupId: struts
  • artifactId: struts, struts-el

September 2025

2.5.37

Released on Sep 12, 2025
Full Version: 
2.5.33-struts2-2.5.37

Notes

  • Build enhancements and publishing improvements.

1.3.16

Released on Sep 12, 2025
Full Version: 
1.3.10-struts-1.3.16

Notes

  • Added sources jar to the published artifacts.

1.1.4

Released on Sep 12, 2025
Full Version: 
1.1.0-struts-1.1.4

Notes

  • Added sources jar to the published artifacts.

August 2025

1.3.15

Released on Aug 4, 2025
CVE-2025-54656
Full Version: 
1.3.10-struts-1.3.15

Bug Fixes

This release patches the following:

July 2025

1.3.14

Released on Jul 18, 2025
CVE-2025-48976
CVE-2025-48734
Full Version: 
1.3.10-struts-1.3.14

Bug Fixes

This release patches the following:

  • CVE-2025-48976: FileUpload DoS via part headers
    • Controller supports tag maxHeaderSize to limit the size of part headers with default of 256 bytes.
  • CVE-2025-48734: Improper Access Control vulnerability
    • Dependency upgrade of beanutils to 1.11.0 or override to nes-v1.7.4 addresses this vulnerability.

Dependency Upgrades

  • commons-beanutils:commons-beanutils 1.9.4 -> 1.11.0
  • commons-fileupload:commons-fileupload 1.5 -> nes-v1.5.2

1.1.3

Released on Jul 17, 2025
CVE-2025-48976
CVE-2025-48734
Full Version: 
1.1.0-struts-1.1.3

Bug Fixes

This release patches the following:

  • CVE-2025-48976 FileUpload DoS via part headers
    • Controller supports tag maxHeaderSize to limit the size of part headers with default of 256 bytes.
  • CVE-2025-48734: Improper Access Control vulnerability
    • Dependency upgrade of beanutils to 1.11.0 or override to nes-v1.7.4 addresses this vulnerability.

Dependency Upgrades

  • commons-fileupload:commons-fileupload nes-v1.5.1 -> nes-v1.5.2
  • commons-beanutils:commons-beanutils 1.9.4 -> 1.11.0
  • remove commons-lang:commons-lang 2.1
    • Struts 1.1.x does not use commons-lang, so it is removed to avoid confusion.
    • If your application uses commons-lang, please add as a dependency to your project.
    • Recommended version is org.apache.commons:commons-lang3:3.18.0.

2.5.35-trial

Released on Jul 9, 2025
Full Version: 
2.5.33-struts2-2.5.35-trial

Notes

  • This release originates from the open‑source Struts 2 project forked by HeroDevs.
  • This release contains no functional changes from Struts version 2.5.33.

June 2025

1.3.13

Released on Jun 23, 2025
Full Version: 
1.3.10-struts-1.3.13

Dependency Upgrades

  • commons-fileupload:commons-fileupload 1.5 -> nes-v1.5.1
  • commons-logging:commons-logging 1.0.4 -> 1.3.5
  • taglibs:standard 1.0.6 -> nes-v1.0.7

1.1.2

Released on Jun 23, 2025
CVE-2005-3745
Full Version: 
1.1.0-struts-1.1.2

Bug Fixes

This release patches the following:

May 2025

1.1.1

Released on May 8, 2025
CVE-2006-1546
CVE-2006-1547
CVE-2006-1548
CVE-2008-2025
CVE-2014-0114
21 More
Full Version: 
1.1.0-struts-1.1.1

Bug Fixes

This release patches the following:

  • CVE-2006-1546: Improper Input Validation
  • CVE-2006-1547: DoS Multipart
  • CVE-2006-1548: Cross-site scripting (XSS)
  • CVE-2008-2025: Possible XSS
    • This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values.
    • A patch was applied to escape untrusted user inputs using double quotes if not already escaped.
  • CVE-2014-0114: Class Loader manipulation
  • CVE-2015-0899: MultiPageValidator bypass
  • CVE-2016-1181: Multithreaded access to an ActionForm multipart access
  • CVE-2016-1182: Access to Validator configuration
  • CVE-2023-34396: Struts upload memory exhaustion
    • struts-config controller tag supports maxStringLen with default of 4K
  • CVE-2023-49735: Tiles: Unvalidated input may lead to SSRF/XXE

Dependency Upgrades

Notes

  • This release originates from the open‑source Struts project forked by HeroDevs.
  • groupId: struts
  • artifactId: struts, struts-legacy, struts-el

April 2025

1.3.12

Released on Apr 17, 2025
CVE-2023-34396
CVE-2023-24998
CVE-2023-49735

Bug Fixes

This release patches the following:

  • CVE-2023-34396 Struts upload memory exhaustion
    • struts-config controller tag supports maxStringLen with default of 4K
  • CVE-2023-24998 commons-fileupload: limit number of request parts
    • struts-config controller tag supports:
      • fileCountMax Sets the maximum number of file parts with default of -1
      • maxSize Sets the maximum allowed size of a complete request with default of 256M
  • CVE-2023-49735 Tiles: Unvalidated input may lead to SSRF/XXE

March 2025

2.5.36

Released on Mar 28, 2025
Full Version: 
2.5.33-struts2-2.5.36

Notes

  • Publish Apache Struts 2 under the org.apache.struts group ID instead of com.herodevs.nes.apache.struts.

1.1.1-trial

Released on Mar 5, 2025
Full Version: 
1.1.0-struts-1.1.1-trial

Notes

  • This release originates from the open‑source Struts project forked by HeroDevs.
  • This release contains no functional changes from Struts version 1.1.

February 2025

1.3.11-trial

Released on Feb 5, 2025
Full Version: 
1.3.10-struts-1.3.11-trial

Notes

  • This release originates from the open‑source Struts project forked by HeroDevs.
  • This release contains no functional changes from Struts version 1.3.10.

1.3.11

Released on Feb 5, 2025
CVE-2012-1007
CVE-2014-0114
CVE-2015-0899
CVE-2016-1181
CVE-2016-1182
Full Version: 
1.3.10-struts-1.3.11

Bug Fixes

This release patches the following:

December 2024

2.5.35

Released on Dec 23, 2024
CVE-2024-53677
Full Version: 
2.5.33-struts2-2.5.35

Bug Fixes

This release patches the following:

  • File upload logic is flawed, and allows an attacker to enable paths with traversals (CVE-2024-53677).
    • com.herodevs.nes.apache.struts.struts2-core:2.5.33-struts2-2.5.35

September 2024

2.5.34

Released on Sep 5, 2024
Full Version: 
2.5.33-struts2-2.5.34

Notes

  • This release originates from the open‑source Struts project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.
  • This release contains no functional changes from Struts version 2.5.33.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.