Few frameworks have handed attackers as many reliable remote-code-execution primitives as Apache Struts 2. Over more than a decade, a recurring pattern — Struts' aggressive use of OGNL (Object-Graph Navigation Language) to bind HTTP input to Java objects — has produced a steady stream of critical CVEs, several of which reached CVSS 9.8-10.0 and at least one of which (CVE-2017-5638) enabled the 2017 Equifax breach that exposed the personal data of roughly 147 million people. The most recent entries in this lineage, CVE-2023-50164 and CVE-2024-53677, show the pattern is still active today: unauthenticated attackers can upload a crafted file and achieve full remote code execution on the underlying server, no valid session or credentials required. Because Struts is still embedded in a large base of enterprise Java web applications — often several dependency hops deep and long forgotten by the teams that shipped them — this vulnerability class remains one of the highest-value targets for both opportunistic scanning and targeted intrusion.
Affected versions and components
Struts RCE vulnerabilities cluster around a handful of subsystems that all funnel untrusted input into OGNL evaluation or Java's file-handling APIs:
- Jakarta Multipart file upload parser — the component responsible for CVE-2017-5638 and, later, CVE-2023-50164 and CVE-2024-53677.
- The core OGNL expression evaluator — abused via crafted
Content-Type,action:,redirect:, and tag-attribute values in CVE-2013-2251, CVE-2016-3081/3087, and CVE-2020-17530. - The namespace/action-mapping logic — the vector for CVE-2018-11776, triggered when
alwaysSelectFullNamespaceis enabled (the default in many configurations using the Struts REST plugin).
In aggregate, these CVEs touch nearly every major Struts 2 release line: 2.0.0 through 2.3.x, all of 2.5.x, and — in the case of the 2023/2024 file-upload flaws — even the 6.x line, meaning "we're on a modern version" is not a safe assumption without checking the specific patch level.
CVSS, EPSS, and KEV context
Severity across this CVE family is consistently near the top of the scale:
- CVE-2017-5638 — CVSS v2 base score 10.0 (network vector, no authentication, complete impact). Actively exploited within days of disclosure; used in the Equifax breach and added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
- CVE-2018-11776 — CVSS v3 base score 8.1. Mass-exploited within a week of the Semmle/GitHub disclosure.
- CVE-2020-17530 — CVSS v3 base score 9.8. Forced OGNL evaluation on raw, unescaped user input reaching tag attributes.
- CVE-2023-50164 — CVSS v3 base score 9.8. Path-traversal in file upload leading to arbitrary file placement and RCE; added to CISA KEV given confirmed in-the-wild exploitation shortly after disclosure.
- CVE-2024-53677 — CVSS v3 base score around 9.5. A bypass of the CVE-2023-50164 fix that again permits malicious file upload manipulation and RCE; subsequently added to CISA KEV as exploitation attempts followed public proof-of-concept code within days.
EPSS (Exploit Prediction Scoring System) scores for the file-upload and OGNL-injection CVEs in this family routinely sit in the 90th-97th percentile of all scored CVEs — reflecting both how trivially weaponizable the bugs are (public Metasploit modules and one-line curl exploits exist for most of them) and how attractive Struts remains as an internet-facing target. Any CVE in this list that also appears in CISA KEV should be treated as a "patch now, not on the next cycle" finding for any organization with federal exposure or contractual obligations tied to KEV remediation timelines — and, frankly, for everyone else too.
Timeline
- 2013 — CVE-2013-2251 (S2-016): RCE via
action:,redirect:, andredirectAction:URL prefixes that were passed unsanitized into OGNL. One of the earliest widely exploited Struts OGNL bugs. - 2016 — CVE-2016-3081 / CVE-2016-3087 (S2-032 / S2-037): RCE through Dynamic Method Invocation (DMI), where method names supplied in request parameters were evaluated as OGNL expressions.
- March 2017 — CVE-2017-5638 (S2-045): A malformed
Content-Typeheader (e.g.,Content-Type: %{(#nike='multipart/form-data')...}) triggers OGNL evaluation inside the Jakarta Multipart parser before any authentication or business logic runs. Disclosed and patched by the Struts team in early March 2017; Equifax's public breach disclosure in September 2017 revealed the flaw had been exploited against an unpatched internet-facing dispute-portal server months after a fix was available. - August 2018 — CVE-2018-11776 (S2-057): Researchers at Semmle found that when
alwaysSelectFullNamespaceis true (common with the Struts REST plugin) or the namespace is left unspecified, an attacker-controlled namespace or action value is evaluated as OGNL, allowing RCE without any special configuration beyond defaults many apps shipped with. - December 2020 — CVE-2020-17530 (S2-061): A regression of an earlier fix (S2-059) reintroduced forced double OGNL evaluation on tag attribute values, letting attacker-supplied strings reach the interpreter again.
- December 2023 — CVE-2023-50164 (S2-066): A path-traversal flaw in file-upload parameter handling lets an attacker manipulate the upload logic to place a file (e.g., a JSP webshell) at an attacker-chosen path on disk — a return, six years later, to the file-upload subsystem that produced the Equifax bug.
- December 2024 — CVE-2024-53677 (S2-067): Disclosed as a bypass of the CVE-2023-50164 patch — the file-upload interceptor logic still permitted parameter manipulation sufficient to upload and execute a malicious file, again with a public exploitation window opening within days of disclosure and a subsequent CISA KEV addition.
The pattern across a decade is unmistakable: fixes narrowly patch the specific expression or code path used in a proof-of-concept, but the underlying design — trusting request-derived strings to reach OGNL or file-path construction — keeps resurfacing new variants.
Remediation steps
- Inventory every Struts instance, including transitive ones. Struts is frequently pulled in as a transitive dependency of a vendor library or an internal shared framework. Don't rely on a manual list of "apps we built on Struts" — generate a software bill of materials (SBOM) across your Java estate and search it for
org.apache.strutsgroup IDs at every depth of the dependency graph. - Patch to the fixed version for your exposure, not just "latest." For the 2023-2024 file-upload chain, ensure you are on Struts 6.3.0.2+ (or the corresponding fixed point release on the 2.5.x/6.x line) — being on a "modern" 6.x release does not, by itself, mean you're safe from CVE-2024-53677.
- Disable Dynamic Method Invocation and restrict
alwaysSelectFullNamespacewhere not explicitly required, closing off two of the historically exploited OGNL entry points even if a zero-day resurfaces in the same area. - Deploy a WAF rule set tuned for OGNL injection (
%{,${, nested#expressions in headers, parameters, and multipart boundaries) as a compensating control while patches roll out — this is not a substitute for patching, but it buys time on internet-facing systems. - Harden the file-upload path independently of the framework fix: validate upload directories are outside the webroot, enforce strict extension allow-lists, and run the application server process with the minimum filesystem write permissions it actually needs.
- Verify exploitability, not just presence. A vulnerable Struts jar sitting in a batch-processing service with no exposed HTTP endpoint is a materially different risk than the same jar backing an internet-facing REST API — prioritize based on whether the vulnerable code path is actually reachable from an untrusted entry point.
- Monitor logs for known exploitation indicators — malformed
Content-Typeheaders, requests containing%{sequences, unexpected JSP/JAR files appearing in webroot directories — and treat any hit as a potential compromise requiring incident response, not just patching.
How Safeguard Helps
Safeguard turns this kind of sprawling, decade-long CVE history into an actionable, prioritized list rather than a spreadsheet of theoretical risk. Our SBOM generation and ingestion pipeline surfaces every Struts artifact in your estate — including transitive copies buried inside vendor libraries — so nothing hides from the inventory step above. Griffin AI and our reachability analysis engine then determine which of those Struts instances actually expose the vulnerable OGNL or file-upload code paths to untrusted input, separating genuine emergencies from dormant, unreachable jars that don't warrant an emergency change window. For confirmed exposures, Safeguard opens auto-fix pull requests that bump the dependency to the patched release and flag any configuration changes (like disabling Dynamic Method Invocation) needed to close related attack paths, cutting the time from disclosure to remediated production code from weeks to hours.