Visit NES for Apache Struts Home Page
Apache Struts Release Notes
5 versions
Release notes for Apache Struts
Sep 12, 2025
Latest: 1.1.4
73 Patched CVEs
September 2025
July 2025
1.1.3
Released on Jul 17, 2025 Full Version:
1.1.0-struts-1.1.3
Bug Fixes
This release patches the following:
- CVE-2025-48976 FileUpload DoS via part headers
- Controller supports tag
maxHeaderSizeto limit the size of part headers with default of256 bytes.
- Controller supports tag
- CVE-2025-48734: Improper Access Control vulnerability
- Dependency upgrade of beanutils to
1.11.0or override tones-v1.7.4addresses this vulnerability.
- Dependency upgrade of beanutils to
Dependency Upgrades
- commons-fileupload:commons-fileupload nes-v1.5.1 -> nes-v1.5.2
- commons-beanutils:commons-beanutils 1.9.4 -> 1.11.0
- remove commons-lang:commons-lang 2.1
- Struts 1.1.x does not use commons-lang, so it is removed to avoid confusion.
- If your application uses commons-lang, please add as a dependency to your project.
- Recommended version is
org.apache.commons:commons-lang3:3.18.0.
June 2025
1.1.2
Released on Jun 23, 2025 Full Version:
1.1.0-struts-1.1.2
Bug Fixes
This release patches the following:
- CVE-2005-3745: Cross-site scripting (XSS)
May 2025
1.1.1
Released on May 8, 2025 Full Version:
1.1.0-struts-1.1.1
Bug Fixes
This release patches the following:
- CVE-2006-1546: Improper Input Validation
- Breaking Change instructions
- CVE-2006-1547: DoS Multipart
- CVE-2006-1548: Cross-site scripting (XSS)
- CVE-2008-2025: Possible XSS
- This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values.
- A patch was applied to escape untrusted user inputs using double quotes if not already escaped.
- CVE-2014-0114: Class Loader manipulation
- CVE-2015-0899: MultiPageValidator bypass
- CVE-2016-1181: Multithreaded access to an ActionForm multipart access
- CVE-2016-1182: Access to Validator configuration
- CVE-2023-34396: Struts upload memory exhaustion
- struts-config controller tag supports
maxStringLenwith default of4K
- struts-config controller tag supports
- CVE-2023-49735: Tiles: Unvalidated input may lead to SSRF/XXE
Dependency Upgrades
- commons-beanutils:commons-beanutils 1.6.1 -> 1.9.4
- commons-collections:commons-collections 3.1 -> 3.2.2
- commons-digester:commons-digester 1.6 -> 1.8
- commons-fileupload:commons-fileupload 1.0 -> nes-v1.5.1
- CVE-2013-0248
- CVE-2013-2186
- CVE-2014-0050
- CVE-2016-1000031
- CVE-2016-3092
- CVE-2023-24998 commons-fileupload: limit number of request parts
- struts-config controller tag supports:
fileCountMaxSets the maximum number of file parts with default of-1maxSizeSets the maximum allowed size of a complete request with default of256M
- struts-config controller tag supports:
- commons-logging:commons-logging 1.0 -> 1.3.5
- log4j 1.1.3 -> log4j2 2.24.3
- oro:oro 2.0.7 -> 2.0.8
- taglibs:standard 1.0.6 -> nes-v1.0.7
Notes
- This release originates from the open‑source Struts project forked by HeroDevs.
- groupId:
struts - artifactId:
struts,struts-legacy,struts-el
March 2025
1.1.1-trial
Released on Mar 5, 2025 Full Version:
1.1.0-struts-1.1.1-trial
Notes
- This release originates from the open‑source Struts project forked by HeroDevs.
- This release contains no functional changes from Struts version
1.1.
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh