Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution - similar to S2-059.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution vulnerability

Maximum security rating



Upgrade to Struts 2.5.26 or greater

Affected Software

Struts 2.0.0 - Struts 2.5.25


Alvaro Munoz - pwntester at github dot com

Masato Anzai of Aeye Security Lab, inc.

CVE Identifier



Some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.


Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.26 which checks if expression evaluation won't lead to the double evaluation.

Backward compatibility

No issues expected when upgrading to Struts 2.5.26


Do not use forced OGNL evaluation in the tag's attributes based on untrusted/unvalidated user input, please follow out recommendations from the Security Guide.

  • No labels