Child pages
  • S2-021
Skip to end of metadata
Go to start of metadata


Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation

Who should read this

All Struts 2 developers and users

Impact of vulnerability

ClassLoader manipulation

Maximum security rating



Developers should immediately upgrade to Struts

Affected Software

Struts 2.0.0 - Struts


Takeshi Terada (Mitsui Bussan Secure Directions, Inc.),
Takayoshi Isayama (Mitsui Bussan Secure Directions, Inc.),
Yoshiyuki Karezaki (Yoshiyuki.Karezaki at
BAKA/ty (121605589 at,
Nebula (Chibi, Hubei, CN), HelloWorld security team,
NSFOCUS Security Team,
heige (zhoujp at

CVE Identifier

CVE-2014-0112 - Incomplete fix for ClassLoader manipulation via ParametersInterceptor

CVE-2014-0113 - ClassLoader manipulation via CookieInterceptor when configured to accept all cookies


The excluded parameter pattern introduced in version to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure cookiesName param).


In Struts improved "class" pattern was introduced directly to ParametersInterceptor and CookieInterceptor.

Backward compatibility

No backward compatibility problems are expected.


If you cannot upgrade to version immediately - which is strongly advised - you can apply below workarounds:

Exclude 'class' parameter

Replace the previous class related pattern with '(.*\.|^|.*|\[('|"))class(\.|('|")]|\[).*' on the list of excludeParams as below

It isn't possible to do the same with CookieInterceptor, so don't use wildcard mapping to accept cookie names or implement your own version of CookieInterceptor based on code provided in Struts

Please be aware that this workaround is not as complete as the corrections in Struts

  • No labels