Child pages
  • S2-024
Skip to end of metadata
Go to start of metadata


Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker

Who should read this

All Struts 2 developers and users

Impact of vulnerability

If default settings are used, the attacker can compromise internal state of an application

Maximum security rating



Developers should immediately upgrade to Struts or introduce the below change in framework's settings

Affected Software

Struts 2.3.20


Jasper Rosenberg at Cargurus

CVE Identifier



Wrong default exclude patterns were introduced in version 2.3.20 of Struts, if default settings are used, the attacker can compromise internal application's state.


In Struts a better set of exlude patterns was defined.

Backward compatibility

No backward compatibility problems are expected.


If you cannot migrate to the latest version it's highly recommended to re-define defaultStack from struts-default.xml to this one below (or any other which is used in your application and drop excludeParams parameter):

Redefined defaultStack

and define the following constant in struts.xml

  • No labels