Apache Struts Release Notes

Bug Fixes

This release patches the following:

• CVE-2008-2025: Possible XSS
  • This is not a security flaw in Struts. Struts has never guaranteed to perform filtering of the untrusted user inputs used as html tag attributes names or values.
  • A patch was applied to escape untrusted user inputs using double quotes if not already escaped.
• CVE-2014-0114: Class Loader manipulation
• CVE-2015-0899: MultiPageValidator bypass
• CVE-2016-1181: Multithreaded access to an ActionForm multipart access
• CVE-2016-1182: Access to Validator configuration
• CVE-2023-34396: Struts upload memory exhaustion
  • struts-config controller tag supports maxStringLen with default of 4K
• CVE-2023-49735: Tiles: Unvalidated input may lead to SSRF/XXE
• CVE-2025-54656: Improper Output Neutralization for Logs Vulnerability

Dependency Upgrades

• commons-beanutils:commons-beanutils 1.6.1 -> 1.9.4
  • CVE-2014-0114
  • CVE-2019-10086
• commons-collections:commons-collections 3.1 -> 3.2.2
  • CVE-2015-7501
  • CVE-2015-6420
• commons-digester:commons-digester 1.6 -> 1.8
• commons-fileupload:commons-fileupload 1.0 -> nes-v1.5.2
  • CVE-2013-0248
  • CVE-2013-2186
  • CVE-2014-0050
  • CVE-2016-1000031
  • CVE-2016-3092
  • CVE-2023-24998 commons-fileupload: limit number of request parts
    • struts-config controller tag supports:
      • fileCountMax Sets the maximum number of file parts with default of -1
      • maxSize Sets the maximum allowed size of a complete request with default of 256M
• commons-logging:commons-logging 1.0 -> 1.3.5
  • log4j 1.1.3 -> log4j2 2.24.3
    • CVE-2019-17571
    • CVE-2021-4104
    • CVE-2022-23302
    • CVE-2022-23305
    • CVE-2022-23307
• oro:oro 2.0.7 -> 2.0.8
• taglibs:standard 1.0.6 -> nes-v1.0.7
  • CVE-2015-0254

Notes

• This release originates from the open‑source Struts project forked by HeroDevs.
• groupId: struts
• artifactId: struts, struts-el