Child pages
  • S2-032

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution

Maximum security rating



Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts, Struts or Struts

Affected Software

Struts 2.3.20 - Struts Struts 2.3.28 (except 3 and


Nike Zheng nike dot zheng at dbappsecurity dot com dot cn

CVE Identifier



Disable Dynamic Method Invocation when possible or upgrade to Apache Struts versions, 3 or

Backward compatibility

No issues expected when upgrading to Struts, 3 and


Disable Dynamic Method Invocation or implement your own version of ActionMapper based on a source code of the recommended Apache Struts versions.