Apache Struts 2.5.x Release Notes

7 versions

Comprehensive release notes and changelog for Apache Struts 2.5.x, including security patches, bug fixes, and feature updates across all supported versions.

Jan 15, 2026

Latest: 2.5.39

73 Patched Vulnerabilities

VEX Statements

January 2026

2.5.39

Released Jan 15, 2026

CVE-2025-68493

Full Version:

2.5.33-struts2-2.5.39

Bug Fixes

This release patches the following:

Apache Struts 2 is Missing XML Validation (CVE-2025-68493)
- org.apache.struts:struts2-core:2.5.33-struts2-2.5.39

December 2025

2.5.38

Released Dec 4, 2025

2 More

Full Version:

2.5.33-struts2-2.5.38

Bug Fixes

This release patches the following:

Vulnerable to DoS via File Leak (CVE-2025-64775 and CVE-2025-66675).
- org.apache.struts:struts2-core:2.5.33-struts2-2.5.38

Dependency Upgrades

commons-fileupload:commons-fileupload 1.4 -> 1.6.0
- CVE-2023-24998 FileUpload denial of service vulnerability
  - Added configuration: struts.multipart.maxFiles (default 256) - The maximum number of files allowed in a multipart request
  - Added configuration: struts.multipart.maxFileSize (default 2097152) - The maximum size per file in a multipart request
- CVE-2025-48976 FileUpload DoS via part headers
  - Added configuration: struts.multipart.partHeaderSizeMax (default 512) - The maximum size of headers per part in a multipart request in bytes
commons-io:commons-io 2.6 -> 2.19.0
- CVE-2021-29425 Path Traversal and Improper Input Validation in Apache Commons IO
- CVE-2024-47554 Possible denial of service attack on untrusted input to XmlStreamReader
commons-beanutils:commons-beanutils 1.9.4 -> 1.11.0
- CVE-2025-48734 Improper Access Control vulnerability

September 2025

2.5.37

Released Sep 12, 2025

Full Version:

2.5.33-struts2-2.5.37

Notes

Build enhancements and publishing improvements.

July 2025

2.5.35-trial

Released Jul 9, 2025

Full Version:

2.5.33-struts2-2.5.35-trial

Notes

This release originates from the open‑source Struts 2 project forked by HeroDevs.
This release contains no functional changes from Struts version 2.5.33.

March 2025

2.5.36

Released Mar 28, 2025

Full Version:

2.5.33-struts2-2.5.36

Notes

Publish Apache Struts 2 under the org.apache.struts group ID instead of com.herodevs.nes.apache.struts.

December 2024

2.5.35

Released Dec 23, 2024

CVE-2024-53677

Full Version:

2.5.33-struts2-2.5.35

Bug Fixes

This release patches the following:

File upload logic is flawed, and allows an attacker to enable paths with traversals (CVE-2024-53677).
- com.herodevs.nes.apache.struts.struts2-core:2.5.33-struts2-2.5.35

September 2024

2.5.34

Released Sep 5, 2024

Full Version:

2.5.33-struts2-2.5.34

Notes

This release originates from the open‑source Struts project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.
This release contains no functional changes from Struts version 2.5.33. Full Version: 2.5.33-struts2-2.5.34

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team