XWork ParameterInterceptors bypass allows OGNL statement execution

Who should read this

All Struts 2 developers

Impact of vulnerability

Remote server context manipulation

Maximum security rating



Developers should immediately upgrade to Struts 2.2.1 or later

Affected Software

Struts 2.0.0 - Struts

Original JIRA Ticket

XW-641, WW-2692


Meder Kydyraliev, Google Security Team

CVE IdentifierCVE-2008-6504


OGNL provides, among other features, extensive expression evaluation capabilities ( The vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects.

So, for instance, to set #session.user to '0wn3d' the following parameter name can be used:

('\u0023' + 'session\'user\'')(unused)=0wn3d

which will look as follows once URL encoded:



To fix this particular issue, upgrade to at least Struts 2.2.1

  • No labels