top of page
Search

The XML Trap: CVE-2025-68493, a Critical Struts 2 Flaw Exposing Data

  • Jan 11
  • 2 min read

Key Findings


  • A new vulnerability, CVE-2025-68493, has been discovered in the Apache Struts 2 web application framework.

  • The flaw, which affects multiple versions of Struts 2, allows for XML External Entity (XXE) injection attacks.

  • The vulnerability can lead to data disclosure, denial of service, and server-side request forgery (SSRF).

  • The issue stems from improper validation of XML configurations in the XWork component of Struts 2.


Background


Apache Struts 2 is a popular open-source web application framework for Java. It is widely used in enterprise applications across various industries. The framework's XWork component, which powers the command-pattern framework, is the target of the vulnerability.


Impact


The CVE-2025-68493 vulnerability can have a significant impact on systems running affected versions of Apache Struts 2. Attackers can leverage the flaw to:


  • Disclose sensitive data by tricking the application into fetching external resources.

  • Cause denial of service by exhausting server resources.

  • Perform server-side request forgery (SSRF) to access internal systems.


Affected Versions


The vulnerability affects the following versions of Apache Struts 2:


  • Struts 2.0.0 through 2.3.37 (End-of-Life)

  • Struts 2.5.0 through 2.5.33 (End-of-Life)

  • Struts 6.0.0 through 6.1.0


Mitigation


The Apache Struts team recommends upgrading to Struts 6.1.1 or higher to permanently address the security issue. The upgrade is backward-compatible, meaning it should not break existing applications.


For organizations unable to upgrade immediately, the report suggests the following workarounds:


  • Use a custom SAXParserFactory that disables external entities.

  • Define JVM-level configurations to block external DTD and Schema access via system properties like `-Djavax.xml.accessExternalDTD=""`.


Conclusion


The CVE-2025-68493 vulnerability in Apache Struts 2 highlights the importance of keeping web application frameworks up-to-date and properly configured. Security teams should act quickly to assess their exposure and implement the necessary mitigations to protect their systems from potential attacks.


Sources


  • https://securityonline.info/the-xml-trap-critical-struts-2-flaw-cve-2025-68493-exposes-data/

  • https://securityonline.info/cve-2025-68637-critical-apache-uniffle-flaw-exposes-clusters-to-eavesdropping/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page