A crafted XML request can be used to perform a DoS attack when using the Struts REST plugin

Who should read this

All Struts 2 developers and users which are using the REST plugin

Impact of vulnerability

A DoS attack is possible when using XStream handler with the Struts REST plugin

Maximum security rating



Upgrade to Struts 2.5.16

Affected Software

Struts 2.1.1 - Struts


Yevgeniy Grushka & Alvaro Munoz from HPE

CVE Identifier



The REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload.


If you are using the REST plugin, upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.

Backward compatibility

No backward incompatibility issues are expected.


Use Jackson XML handler instead of the default XStream handler as described here.

  • No labels