Visit NES for Apache Struts Home Page
Apache Struts Release Notes
8 versions
Release notes for Apache Struts
Nov 20, 2025
Latest: 1.3.17
73 Patched CVEs
November 2025
September 2025
August 2025
1.3.15
Released on Aug 4, 2025 Full Version:
1.3.10-struts-1.3.15
Bug Fixes
This release patches the following:
- CVE-2025-54656: Improper Output Neutralization for Logs Vulnerability
July 2025
1.3.14
Released on Jul 18, 2025 Full Version:
1.3.10-struts-1.3.14
Bug Fixes
This release patches the following:
- CVE-2025-48976: FileUpload DoS via part headers
- Controller supports tag
maxHeaderSizeto limit the size of part headers with default of256 bytes.
- Controller supports tag
- CVE-2025-48734: Improper Access Control vulnerability
- Dependency upgrade of beanutils to
1.11.0or override tones-v1.7.4addresses this vulnerability.
- Dependency upgrade of beanutils to
Dependency Upgrades
- commons-beanutils:commons-beanutils 1.9.4 -> 1.11.0
- commons-fileupload:commons-fileupload 1.5 -> nes-v1.5.2
June 2025
1.3.13
Released on Jun 23, 2025 Full Version:
1.3.10-struts-1.3.13
Dependency Upgrades
- commons-fileupload:commons-fileupload 1.5 -> nes-v1.5.1
- commons-logging:commons-logging 1.0.4 -> 1.3.5
- taglibs:standard 1.0.6 -> nes-v1.0.7
April 2025
1.3.12
Released on Apr 17, 2025Bug Fixes
This release patches the following:
- CVE-2023-34396 Struts upload memory exhaustion
- struts-config controller tag supports
maxStringLenwith default of4K
- struts-config controller tag supports
- CVE-2023-24998 commons-fileupload: limit number of request parts
- struts-config controller tag supports:
fileCountMaxSets the maximum number of file parts with default of-1maxSizeSets the maximum allowed size of a complete request with default of256M
- struts-config controller tag supports:
- CVE-2023-49735 Tiles: Unvalidated input may lead to SSRF/XXE
February 2025
1.3.11
Released on Feb 5, 2025 Full Version:
1.3.10-struts-1.3.11
Bug Fixes
This release patches the following:
- CVE-2012-1007: Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10.
- CVE-2014-0114: Class Loader manipulation.
- CVE-2015-0899: MultiPageValidator bypass in Apache Struts 1.
- CVE-2016-1181: Multithreaded access to an ActionForm multipart access.
- CVE-2016-1182: Access to Validator configuration.
1.3.11-trial
Released on Feb 5, 2025 Full Version:
1.3.10-struts-1.3.11-trial
Notes
- This release originates from the open‑source Struts project forked by HeroDevs.
- This release contains no functional changes from Struts version
1.3.10.
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh