(tick) These are the notes for the Struts 2.3.34 distribution.

(tick) For prior notes in this release series, see Version Notes 2.3.33

  • If you are a Maven user, you might want to get started using the Maven Archetype.
  • Another quick-start entry point is the blank application. Rename and deploy the WAR as a starting point for your own development.
  • There is huge number of examples you can also use as a starting point for you application here
Maven Dependency

You can also use Struts Archetype Catalog like below

Struts Archetype Catalog
mvn archetype:generate -DarchetypeCatalog=http://struts.apache.org/
Staging Repository
    <name>ASF Nexus Staging</name>

Internal Changes

  • (warning) A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047), see S2-050
  • (warning) A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin, see S2-051
  • (warning) Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads, see S2-052
  • (warning) A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals, see S2-053


  • [WW-4176] - Struts2 JSON Plugin: Send Map with Strings as Key to JSON Action is ignored, Numeric Keys will work and mapped
  • [WW-4817] - Threads get blocked due to unnecessary synchronization in OgnlRuntime


  • [WW-4832] - Upgrade to OGNL 3.0.21
  • [WW-4844] - Upgrade to struts-master 11


  • [WW-4834] - Improve RegEx used to validate URLs


This release contains fixes related to S2-050, S2-051, S2-052 and S2-053 - please read them carefully!

Issue Detail

Issue List

Other resources

  • No labels