This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-021
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »


Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation

Who should read this

All Struts 2 developers and users

Impact of vulnerability

ClassLoader manipulation

Maximum security rating



Developers should immediately upgrade to Struts

Affected Software

Struts 2.0.0 - Struts


Taki Uchiyama (JPCERT/CC), Takeshi Terada (Mitsui Bussan Secure Directions, Inc.), Takayoshi Isayama (Mitsui Bussan Secure Directions, Inc.), Yoshiyuki Karezaki, BAKA/ty, Shine (1983059165 at, NSFOCUS Security Team

CVE Identifier

CVE-2014-0112 - Incomplete fix for ClassLoader manipulation via ParametersInterceptor

CVE-2014-0113 - ClassLoader manipulation via CookieInterceptor when configured to accept all cookies


The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.


In Struts, Commons FileUpload was updated to version 1.3.1 and "class" was added to excludeParams in struts-default.xml configuration of ParametersInterceptor.

Backward compatibility

No backward compatibility problems are expected.


If you cannot upgrade to version which is strongly advised, you can apply below workarounds:

Upgrade commons-fileupload

The fixed commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the commons-fileupload jar file in WEB-INF/lib with the updated jar. For Maven
based Struts 2 projects, the following dependency needs to be added:


Exclude 'class' parameter

Simple add '^class\.*' to the list of excludeParams as below

<interceptor-ref name="params">
  <param name="excludeParams">^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
  • No labels