Visit NES for Apache Struts Home Page
Apache Struts Release Notes
2 versions
Release notes for Apache Struts
Nov 15, 2025
Latest: 1.2.10
73 Patched CVEs
November 2025
1.2.10
Released on Nov 15, 2025 Full Version:
1.2.9-struts-1.2.10
Bug Fixes
This release patches the following:
- CVE-2008-2025: Possible XSS
- This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values.
- A patch was applied to escape untrusted user inputs using double quotes if not already escaped.
- CVE-2014-0114: Class Loader manipulation
- CVE-2015-0899: MultiPageValidator bypass
- CVE-2016-1181: Multithreaded access to an ActionForm multipart access
- CVE-2016-1182: Access to Validator configuration
- CVE-2023-34396: Struts upload memory exhaustion
- struts-config controller tag supports
maxStringLenwith default of4K
- struts-config controller tag supports
- CVE-2023-49735: Tiles: Unvalidated input may lead to SSRF/XXE
- CVE-2025-54656: Improper Output Neutralization for Logs Vulnerability
Dependency Upgrades
- commons-beanutils:commons-beanutils 1.6.1 -> 1.9.4
- commons-collections:commons-collections 3.1 -> 3.2.2
- commons-digester:commons-digester 1.6 -> 1.8
- commons-fileupload:commons-fileupload 1.0 -> nes-v1.5.2
- CVE-2013-0248
- CVE-2013-2186
- CVE-2014-0050
- CVE-2016-1000031
- CVE-2016-3092
- CVE-2023-24998 commons-fileupload: limit number of request parts
- struts-config controller tag supports:
fileCountMaxSets the maximum number of file parts with default of-1maxSizeSets the maximum allowed size of a complete request with default of256M
- struts-config controller tag supports:
- commons-logging:commons-logging 1.0 -> 1.3.5
- log4j 1.1.3 -> log4j2 2.24.3
- oro:oro 2.0.7 -> 2.0.8
- taglibs:standard 1.0.6 -> nes-v1.0.7
Notes
- This release originates from the open‑source Struts project forked by HeroDevs.
- groupId:
struts - artifactId:
struts,struts-el
1.2.10-trial
Released on Nov 15, 2025 Full Version:
1.2.9-struts-1.2.10-trial
Notes
- This release originates from the open‑source Struts project forked by HeroDevs.
- This release contains no functional changes from Struts version
1.2.
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh