Apache Struts 1.1.x Release Notes

5 versions

Comprehensive release notes and changelog for Apache Struts 1.1.x, including security patches, bug fixes, and feature updates across all supported versions.

Sep 12, 2025

Latest: 1.1.4

73 Patched Vulnerabilities

VEX Statements

September 2025

1.1.4

Released Sep 12, 2025

Full Version:

1.1.0-struts-1.1.4

Notes

Added sources jar to the published artifacts.

July 2025

1.1.3

Released Jul 17, 2025

CVE-2025-48976

CVE-2025-48734

Full Version:

1.1.0-struts-1.1.3

Bug Fixes

This release patches the following:

CVE-2025-48976 FileUpload DoS via part headers
- Controller supports tag maxHeaderSize to limit the size of part headers with default of 256 bytes.
CVE-2025-48734: Improper Access Control vulnerability
- Dependency upgrade of beanutils to 1.11.0 or override to nes-v1.7.4 addresses this vulnerability.

Dependency Upgrades

commons-fileupload:commons-fileupload nes-v1.5.1 -> nes-v1.5.2
commons-beanutils:commons-beanutils 1.9.4 -> 1.11.0
remove commons-lang:commons-lang 2.1
- Struts 1.1.x does not use commons-lang, so it is removed to avoid confusion.
- If your application uses commons-lang, please add as a dependency to your project.
- Recommended version is org.apache.commons:commons-lang3:3.18.0.

June 2025

1.1.2

Released Jun 23, 2025

CVE-2005-3745

Full Version:

1.1.0-struts-1.1.2

Bug Fixes

This release patches the following:

CVE-2005-3745: Cross-site scripting (XSS)

May 2025

1.1.1

Released May 8, 2025

21 More

Full Version:

1.1.0-struts-1.1.1

Bug Fixes

This release patches the following:

CVE-2006-1546: Improper Input Validation
- Breaking Change instructions
CVE-2006-1547: DoS Multipart
CVE-2006-1548: Cross-site scripting (XSS)
CVE-2008-2025: Possible XSS
- This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values.
- A patch was applied to escape untrusted user inputs using double quotes if not already escaped.
CVE-2014-0114: Class Loader manipulation
CVE-2015-0899: MultiPageValidator bypass
CVE-2016-1181: Multithreaded access to an ActionForm multipart access
CVE-2016-1182: Access to Validator configuration
CVE-2023-34396: Struts upload memory exhaustion
- struts-config controller tag supports maxStringLen with default of 4K
CVE-2023-49735: Tiles: Unvalidated input may lead to SSRF/XXE

Dependency Upgrades

commons-beanutils:commons-beanutils 1.6.1 -> 1.9.4
- CVE-2014-0114
- CVE-2019-10086
commons-collections:commons-collections 3.1 -> 3.2.2
- CVE-2015-7501
- CVE-2015-6420
commons-digester:commons-digester 1.6 -> 1.8
commons-fileupload:commons-fileupload 1.0 -> nes-v1.5.1
- CVE-2013-0248
- CVE-2013-2186
- CVE-2014-0050
- CVE-2016-1000031
- CVE-2016-3092
- CVE-2023-24998 commons-fileupload: limit number of request parts
  - struts-config controller tag supports:
    - fileCountMax Sets the maximum number of file parts with default of -1
    - maxSize Sets the maximum allowed size of a complete request with default of 256M
commons-logging:commons-logging 1.0 -> 1.3.5
- log4j 1.1.3 -> log4j2 2.24.3
oro:oro 2.0.7 -> 2.0.8
taglibs:standard 1.0.6 -> nes-v1.0.7
- CVE-2015-0254

Notes

This release originates from the open‑source Struts project forked by HeroDevs.
groupId: struts
artifactId: struts, struts-legacy, struts-el

March 2025

1.1.1-trial

Released Mar 5, 2025

Full Version:

1.1.0-struts-1.1.1-trial

Notes

This release originates from the open‑source Struts project forked by HeroDevs.
This release contains no functional changes from Struts version 1.1. Full Version: 1.1.0-struts-1.1.1-trial

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team