—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

XML External Entity (XXE) Vulnerability in Apache Struts (XWork Component)

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Apache Struts versions 2.0.0 to 2.3.37 (EOL)

Apache Struts versions 2.5.0 to 2.5.33 (EOL)

Apache Struts versions 6.0.0 to 6.1.0

Overview

A vulnerability has been reported in Apache Struts which could allow an attacker to bypass security restrictions, gain access to sensitive information and cause denial of service on the targeted system.

Target Audience:

Organizations and individuals using the affected Apache Struts framework.

Risk Assessment:

Important risk of compromise of data and the application.

Impact Assessment:

Potential for information disclosure, denial of service, security restriction bypass.

Description

Apache Struts is a free, open-source framework for creating enterprise-ready Java web applications.

This vulnerability exists due to improper validation during XML configuration parsing. An attacker could exploit this vulnerability by providing specially crafted XML input.

Successful exploitation of this vulnerability could allow the attacker to bypass security restrictions, gain access to sensitive information and cause denial of service on the targeted system.

Solution

Apply appropriate updates as mentioned as mentioned by the Vendor:

https://cwiki.apache.org/confluence/display/WW/S2-069

Vendor Information

Apache

https://apache.org/

References

Apache

https://cwiki.apache.org/confluence/display/WW/S2-069

CVE Name

CVE-2025-68493

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmPQLgACgkQ3jCgcSdc

ys++thAAiSDOlitkixU+q9XdfeYNOTh+7sSgJ1mv7IJVUq09vmG/taMnT32Adwqe

q9DiGlaahamdB708OoQ3gu0cT/ZB4l9DwlyB415kWV7TfVNBzg8zCpdLl0hUMivP

UdaN/7ABlMQlOtcga48U4+i4qlrPFdkj0yFjxm9Ed9Vy15GHop5Iyelio+Orxxtl

YkpGhtkyufepYZ2BjH49pFYujsf2kPkECGUsjc39YFa5HGzvtzz7cYnX7Kdhs4wk

lIXNmfFSxPsFX3OGjLRkPC0zjOcmiFXzPmRdnqEUEocTh/M+Mz17ky5ND9dieLl6

Yple6yTTKFdJtLWD6lcXENHAZMik2uBA4JGrff1XjVXVrxFPQGevEzUIEMFj2tv6

I5FDTt3tbJ8CQNkv9X1zfBt1QDebfwZQuy1OLJPN6RUfqGwdnNlOWjFj5XonJqKq

3v+LV0SBP/2s9KBNrtgBRGCvphgd60eo9ITFloWMgJoI6AsN6N49cVMj+hdtpzWd

rlKIdVIfRc/yt+pPL8q82+3Y0QcbMAqZsHxgM5gWA8yBkrUodzAFb3lXdoasQjyu

ayG6HB/pOZMzNie0sOrUT1Q4IKdesx6M/EzP1fGq4z4AUDXME4MC/mBki45tsEac

7ti9aOUCuTumtHoiZAQG5XphEUbA48ZjIUt8SWHC/EZ20+pQCBw=

=jBbu

—–END PGP SIGNATURE—–