This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-033

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible Remote Code Execution

Maximum security rating



Disable Dynamic Method Invocation if possible. Alternatively upgrade to Struts, Struts or Struts

Affected Software

Struts 2.3.20 - Struts Struts 2.3.28 (except and


Alvaro Munoz alvaro dot munoz at hpe dot com

CVE Identifier



It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled when using the REST Plugin.