Red Hot Cyber
Cybersecurity, Cybercrime News and Vulnerability Analysis
A new flaw has emerged in the foundation of one of the most popular Java frameworks on the web.
Cybersecurity experts at ZAST.AI have discovered a significant security flaw in Apache Struts 2, warning that the vulnerability could put enterprise applications at risk by allowing attackers to steal sensitive information or conduct denial-of-service attacks.
The scope of this bug is significant and affects a wide range of Struts releases, including those already in the End of Life (EOL) phase. The list of affected software includes:
The vulnerability, identified as CVE-2025-68493, affects the XWork component, the command framework that manages Struts. The issue stems from improper handling of XML configurations, which exposes systems to XML External Entity (XXE) injection.
Essentially, the vulnerability is a validation error. The report states that “XML configuration parsing in the XWork component does not properly validate the XML,” creating a path for attackers to inject malicious external entities.
When an application processes a contaminated XML file, it can be tricked into fetching external resources . The potential impact is a trifecta of security issues: data disclosure, denial of service, and server-side request forgery.
This means that an attacker could potentially force a server to reveal local files, shut down due to resource exhaustion, or make unauthorized requests to internal systems hidden behind the firewall.
The Apache Struts team recommends that organizations “upgrade to at least version 6.1.1 ” to permanently close the security gap. Fortunately, the report emphasizes that ” this change is backwards compatible ,” meaning the update shouldn’t affect existing applications.
For teams stuck on older versions that can’t upgrade immediately, there’s a workaround. Workarounds include using a custom SAXParserFactory that disables external entities, or defining JVM-level configurations to block access to external DTDs and Schemas via system properties such as -Djavax.xml.accessExternalDTD=””.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
