Safeguard
Security

Apache Struts 2 Vulnerability History: The RCE Flaws You Must Patch

Apache Struts 2 vulnerabilities have caused some of the largest breaches on record. Here is the CVE lineage, why the same flaw keeps recurring, and how to detect it.

Yukti Singhal
Security Analyst
5 min read

An Apache Struts 2 vulnerability is almost always a remote code execution (RCE) flaw, and the framework's history shows the same file-upload and expression-evaluation weaknesses returning again and again despite repeated patches. If you run Struts 2 anywhere, the practical question is not whether a critical Struts vulnerability exists but whether your specific version is behind the latest fix. This guide walks the CVE lineage, all verified against public advisories, and explains how to stay ahead of it.

Why Struts 2 keeps producing critical CVEs

Struts 2 is a Java MVC framework built around OGNL (Object-Graph Navigation Language), an expression language the framework uses to move data between the request and the application. The recurring problem is that user-controllable input has repeatedly reached an OGNL evaluation context, or reached file-upload handling, in ways that let an attacker execute arbitrary code. When the underlying design lets attacker input steer evaluation or file placement, patches that block one path tend to leave adjacent paths open, which is why the same vulnerability class recurs.

CVE-2017-5638: the Equifax flaw

The most infamous Apache Struts 2 vulnerability is CVE-2017-5638, an RCE in the Jakarta Multipart parser. A crafted Content-Type header in a file-upload request was evaluated as an OGNL expression, letting attackers run commands on the server. It carried a maximum CVSS score of 10.0. Apache fixed it in Struts 2.3.32 and 2.5.10.1, released in early March 2017.

This is the vulnerability behind the Equifax breach, which exposed sensitive data for roughly 145 million people. The fix had been available for months before the breach; the exposure came from an unpatched instance. That single fact is the most important lesson in the whole Struts story: the flaw was known and fixed, and the damage came from not applying the fix.

CVE-2018-11776: namespace evaluation

CVE-2018-11776, disclosed by Semmle researchers, was a critical RCE caused by insufficient validation of user input used in the framework core. Under certain configurations, notably where results used no namespace and the upstream action configuration lacked one, an attacker could trigger OGNL evaluation through a crafted URL and achieve remote code execution. It reinforced the pattern: attacker-influenced values reaching OGNL evaluation.

CVE-2023-50164: file-upload path traversal

CVE-2023-50164 moved the spotlight back to file uploads. By manipulating file-upload parameters, an attacker could perform path traversal and, under certain conditions, upload a malicious file to a location that enabled remote code execution. It was rated critical and prompted urgent upgrade advisories across the industry.

CVE-2024-53677: the recurrence

CVE-2024-53677 is, in effect, CVE-2023-50164 returning because the earlier fix was incomplete. It is a critical flaw in the file-upload mechanism, with a CVSS score of 9.5, that again allows attackers to manipulate upload parameters for unauthorized file placement and potential RCE. Apache's guidance is not merely to bump a patch version: the deprecated file-upload mechanism must be replaced with the new Action File Upload interceptor, and applications should move to Struts 6.4.0 or greater. Simply upgrading without adopting the new interceptor can leave the application exposed. Active exploitation was reported shortly after disclosure.

The pattern you should internalize

Four critical Apache Struts 2 vulnerabilities over roughly seven years, and the throughline is unmistakable:

  • The flaws cluster around OGNL evaluation and file-upload handling.
  • "Patched" and "safe" diverge when a fix is incomplete, as CVE-2024-53677 following CVE-2023-50164 demonstrated.
  • Some fixes require configuration changes, not just a version bump.
  • Every major incident was worse because organizations ran unpatched versions long after fixes shipped.

Detecting and remediating Struts exposure

Practical steps, in priority order:

  1. Inventory every Struts 2 dependency, including transitive ones and copies bundled inside WAR and fat-JAR artifacts. Struts often hides deep in the dependency tree of legacy applications.
  2. Compare each version against the latest fixed release. Because Struts fixes sometimes demand a config change, read the specific advisory rather than assuming a patch version is sufficient.
  3. For CVE-2024-53677 specifically, migrate to the Action File Upload mechanism and Struts 6.4.0 or later; do not stop at a version bump.
  4. Generate an SBOM so future Struts CVEs map instantly to affected services instead of triggering a manual scramble.
  5. Put a web application firewall rule in front as a stopgap while you patch, but never treat it as the fix.

An SCA tool such as Safeguard can flag a vulnerable Struts version transitively, even when it is buried inside a bundled artifact you did not declare directly, which is exactly where these dependencies tend to hide. For the broader picture of how transitive dependencies become breach vectors, our software supply chain fundamentals material covers the inventory problem in depth.

FAQ

What is the most severe Apache Struts 2 vulnerability?

CVE-2017-5638 is the most infamous, an RCE in the Jakarta Multipart parser with a maximum CVSS of 10.0. It was the vulnerability exploited in the Equifax breach affecting around 145 million people. The patch existed for months before the breach; the damage came from running an unpatched version.

Is upgrading the Struts version enough to fix CVE-2024-53677?

Not by itself. Apache's guidance is to replace the deprecated file-upload mechanism with the new Action File Upload interceptor and move to Struts 6.4.0 or greater. A version bump without adopting the new interceptor can leave the application exposed.

Why do Struts 2 vulnerabilities keep recurring?

They cluster around OGNL expression evaluation and file-upload handling, where attacker-controllable input reaches a dangerous context. Patches that close one path often leave adjacent paths open, which is why CVE-2024-53677 essentially revived CVE-2023-50164 after an incomplete fix.

How do I find Struts 2 in my applications?

Inventory all dependencies, including transitive ones and libraries bundled inside WAR and fat-JAR files, then map versions against the latest advisories. Generating an SBOM makes future Struts CVEs map instantly to affected services rather than requiring a manual hunt.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.