Child pages
  • Version Notes 2.3.34
Skip to end of metadata
Go to start of metadata

(tick) These are the notes for the Struts 2.3.34 distribution.

(tick) For prior notes in this release series, see Version Notes 2.3.33

  • If you are a Maven user, you might want to get started using the Maven Archetype.
  • Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.
  • There is huge number of examples you can also use as a starting point for you application here
Maven Dependency

You can also use Struts Archetype Catalog like below

Struts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=
Staging Repository
    <name>ASF Nexus Staging</name>

Internal Changes

  • (warning) A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047), see S2-050
  • (warning) A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin, see S2-051
  • (warning) Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads, see S2-052
  • (warning) A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals, see S2-053


  • [WW-4176] - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped
  • [WW-4817] - Threads get blocked due to unnecessary synchronization in OgnlRuntime


  • [WW-4832] - Upgrade to OGNL 3.0.21
  • [WW-4844] - Upgrade to struts-master 11


  • [WW-4834] - Improve RegEx used to validate URLs


This release contains fixes related to S2-050, S2-051, S2-052 and S2-053 - please read them carefully!

Issue Detail

Issue List

Other resources

  • No labels