Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



Possible Remote Code Execution when performing file upload based on Jakarta pluginMultipart parser.

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible RCE when performing file upload based on Jakarta pluginMultipart parser

Maximum security rating



Upgrade to Struts 2.3.32 or Struts

Affected Software

Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10


Nike Zheng <nike dot zheng at dbappsecurity dot com dot cn>

CVE Identifier



It is possible to perform a RCE attack with malicious a a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.


If you are using Jakarta based file upload pluginMultipart parser, upgrade to Apache Struts version 2.3.32 or You can also switch to a different implementation of the Multipart parser.

Backward compatibility

No backward incompatibility issues are expected.


Implement a Servlet filter which will validate Content-Type and throw away request with suspicious values not matching multipart/form-data.

Other option is to remove the File Upload Interceptor from the stack, just define your own custom stack and set it as a default - please read How do we configure an Interceptor to be used with every Action. This will work only for Struts 2.5.8 - 2.5.10.

Code Block
    <interceptor-stack name="defaultWithoutUpload">
        <interceptor-ref name="exception"/>
        <interceptor-ref name="alias"/>
        <interceptor-ref name="servletConfig"/>
        <interceptor-ref name="i18n"/>
        <interceptor-ref name="prepare"/>
        <interceptor-ref name="chain"/>
        <interceptor-ref name="scopedModelDriven"/>
        <interceptor-ref name="modelDriven"/>
        <interceptor-ref name="checkbox"/>
        <interceptor-ref name="datetime"/>
        <interceptor-ref name="multiselect"/>
        <interceptor-ref name="staticParams"/>
        <interceptor-ref name="actionMappingParams"/>
        <interceptor-ref name="params"/>
        <interceptor-ref name="conversionError"/>
        <interceptor-ref name="validation">
            <param name="excludeMethods">input,back,cancel,browse</param>
        <interceptor-ref name="workflow">
            <param name="excludeMethods">input,back,cancel,browse</param>
        <interceptor-ref name="debugging"/>
<default-interceptor-ref name="defaultWithoutUpload"/>