Critical Remote Code Injection Vulnerability Found in Apache Struts


The Apache Struts group on September 5, 2017 released. Apache Struts version 2.5.13 to patch the recently discovered critical XML remote code injection S2-052 vulnerability. To exploit the vulnerability, a malicious user just needs to send malicious XML code to the vulnerable web server.

To patch to the newest Apache Struts 2.5.13 version, visit

This release contains fixes for the following security vulnerabilities:

  • S2-052  Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads
  • S2-050  A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)
  • S2-051  A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin.

The IT Security Office strongly recommends that this vulnerability is patched ASAP.