This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-035
Skip to end of metadata
Go to start of metadata


Action name clean up is error prone

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible way to craft vulnerable payload

Maximum security rating



Upgrade to latest version of the Apache Struts, 2.3.29 or 2.5.1.

Affected Software

Struts 2.0.0 - Struts


Alvaro Munoz alvaro dot munoz at hpe dot com

Sam Ng samn at hpe dot com

CVE Identifier



The method used to clean up action name can produce vulnerable payload based on crafted input which can be used by attacker to perform unspecified attack.


You should upgrade to latest Struts version or implement your own version of ActionMapper based on source code of receomened Struts versions.

Backward compatibility

No issues expected when upgrading Struts version.


Implement your own version of clean up method which will throw an exception.


  • No labels