Child pages
  • S2-039
Skip to end of metadata
Go to start of metadata


Getter as action method leads to security bypass

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible manipulation of return result and bypassing validation

Maximum security rating



Upgrade to Struts 2.3.29.

Affected Software

Struts 2.3.20 - Struts Struts


Takeshi Terada websec02 dot g02 at

CVE Identifier



It is possible to pass a crafted request which can be used to bypass internal security mechanism and manipulate return string which can leads to redirecting user to unvalidated location.


Upgrade to Apache Struts version 2.3.29.

Backward compatibility

Some backward incompatibility issues are expected when upgrading to Struts 2.3.29 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assignments.


You can try to use more restrictive RegEx used to clean up action names as below:

<constant name="struts.allowed.action.names" value="[a-zA-Z]*" />

Please adjust the RegEx to your action naming pattern, it should be as narrowed as possible.

  • No labels