Apache Struts Release Notes

8 versions

Release notes for Apache Struts

Nov 20, 2025

Latest: 1.3.17

73 Patched CVEs

November 2025

1.3.17

Released on Nov 20, 2025

Full Version:

1.3.10-struts-1.3.17

Notes

struts-tiles removed its dependency on commons-io, as it is no longer required.
struts-core now uses a more efficient implementation for its security-related regular expression.

September 2025

1.3.16

Released on Sep 12, 2025

Full Version:

1.3.10-struts-1.3.16

Notes

Added sources jar to the published artifacts.

August 2025

1.3.15

Released on Aug 4, 2025

CVE-2025-54656

Full Version:

1.3.10-struts-1.3.15

Bug Fixes

This release patches the following:

CVE-2025-54656: Improper Output Neutralization for Logs Vulnerability

July 2025

1.3.14

Released on Jul 18, 2025

CVE-2025-48976

CVE-2025-48734

Full Version:

1.3.10-struts-1.3.14

Bug Fixes

This release patches the following:

CVE-2025-48976: FileUpload DoS via part headers
- Controller supports tag maxHeaderSize to limit the size of part headers with default of 256 bytes.
CVE-2025-48734: Improper Access Control vulnerability
- Dependency upgrade of beanutils to 1.11.0 or override to nes-v1.7.4 addresses this vulnerability.

Dependency Upgrades

commons-beanutils:commons-beanutils 1.9.4 -> 1.11.0
commons-fileupload:commons-fileupload 1.5 -> nes-v1.5.2

June 2025

1.3.13

Released on Jun 23, 2025

Full Version:

1.3.10-struts-1.3.13

Dependency Upgrades

commons-fileupload:commons-fileupload 1.5 -> nes-v1.5.1
commons-logging:commons-logging 1.0.4 -> 1.3.5
taglibs:standard 1.0.6 -> nes-v1.0.7

April 2025

1.3.12

Released on Apr 17, 2025

CVE-2023-34396

CVE-2023-24998

CVE-2023-49735

Bug Fixes

This release patches the following:

CVE-2023-34396 Struts upload memory exhaustion
- struts-config controller tag supports maxStringLen with default of 4K
CVE-2023-24998 commons-fileupload: limit number of request parts
- struts-config controller tag supports:
  - fileCountMax Sets the maximum number of file parts with default of -1
  - maxSize Sets the maximum allowed size of a complete request with default of 256M
CVE-2023-49735 Tiles: Unvalidated input may lead to SSRF/XXE

February 2025

1.3.11

Released on Feb 5, 2025

Full Version:

1.3.10-struts-1.3.11

Bug Fixes

This release patches the following:

CVE-2012-1007: Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10.
CVE-2014-0114: Class Loader manipulation.
CVE-2015-0899: MultiPageValidator bypass in Apache Struts 1.
CVE-2016-1181: Multithreaded access to an ActionForm multipart access.
CVE-2016-1182: Access to Validator configuration.

1.3.11-trial

Released on Feb 5, 2025

Full Version:

1.3.10-struts-1.3.11-trial

Notes

This release originates from the open‑source Struts project forked by HeroDevs.
This release contains no functional changes from Struts version 1.3.10.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team