Visit NES for Apache Struts Home Page
Apache Struts Release Notes
7 versions
Release notes for Apache Struts
Jan 15, 2026
Latest: 2.5.39
73 Patched CVEs
January 2026
2.5.39
Released on Jan 15, 2026 Full Version:
2.5.33-struts2-2.5.39
Bug Fixes
This release patches the following:
- Apache Struts 2 is Missing XML Validation (CVE-2025-68493)
org.apache.struts:struts2-core:2.5.33-struts2-2.5.39
December 2025
2.5.38
Released on Dec 4, 2025 Full Version:
2.5.33-struts2-2.5.38
Bug Fixes
This release patches the following:
- Vulnerable to DoS via File Leak (CVE-2025-64775 and CVE-2025-66675).
org.apache.struts:struts2-core:2.5.33-struts2-2.5.38
Dependency Upgrades
- commons-fileupload:commons-fileupload
1.4->1.6.0- CVE-2023-24998 FileUpload denial of service vulnerability
- Added configuration:
struts.multipart.maxFiles(default256) - The maximum number of files allowed in a multipart request - Added configuration:
struts.multipart.maxFileSize(default2097152) - The maximum size per file in a multipart request
- Added configuration:
- CVE-2025-48976 FileUpload DoS via part headers
- Added configuration:
struts.multipart.partHeaderSizeMax(default512) - The maximum size of headers per part in a multipart request in bytes
- Added configuration:
- CVE-2023-24998 FileUpload denial of service vulnerability
- commons-io:commons-io
2.6->2.19.0- CVE-2021-29425 Path Traversal and Improper Input Validation in Apache Commons IO
- CVE-2024-47554 Possible denial of service attack on untrusted input to XmlStreamReader
- commons-beanutils:commons-beanutils
1.9.4->1.11.0- CVE-2025-48734 Improper Access Control vulnerability
September 2025
July 2025
2.5.35-trial
Released on Jul 9, 2025 Full Version:
2.5.33-struts2-2.5.35-trial
Notes
- This release originates from the open‑source Struts 2 project forked by HeroDevs.
- This release contains no functional changes from Struts version
2.5.33.
March 2025
December 2024
2.5.35
Released on Dec 23, 2024 Full Version:
2.5.33-struts2-2.5.35
Bug Fixes
This release patches the following:
- File upload logic is flawed, and allows an attacker to enable paths with traversals (CVE-2024-53677).
com.herodevs.nes.apache.struts.struts2-core:2.5.33-struts2-2.5.35
September 2024
2.5.34
Released on Sep 5, 2024 Full Version:
2.5.33-struts2-2.5.34
Notes
- This release originates from the open‑source Struts project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.
- This release contains no functional changes from Struts version
2.5.33.
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh