This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-011
Skip to end of metadata
Go to start of metadata


Long request parameter names might significantly promote the effectiveness of DOS attacks

Who should read this

All Struts 2 developers

Impact of vulnerability

Denial-of-Service attacks

Maximum security rating



Developers should upgrade to Struts

Affected Software

Struts 2.0.0 - Struts 2.3.4

Original JIRA Tickets



Johno Crawford

CVE Identifier



Request parameters handled by Struts 2 are effectively treated as OGNL expressions. A possible DOS attacker might craft requests to a Struts 2 based application with extremely long parameter names. OGNL evaluation of the parameter name then will consume significant CPU cycles, thus promoting the effectiveness of the DOS attack.


As of Struts, parameter name length is limited to a maximum of 100 characters. This configuration may be customized by providing the newly introduced parameter "paramNameMaxLength" to the ParametersInteceptor configuration.

Thanks to Johno Crawford for the provided patch.

Please upgrade to Struts

  • No labels