This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-027
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »


TextParseUtil.translateVariables does not filter malicious OGNL expressions

Who should read this

All Struts 2 developers

Impact of vulnerability

Remote Code Execution, when unsanitized user input is passed to the method by a developer

Maximum security rating



Don't pass unsanitized input to the said method or ActionSupport's getText methods. An upgrade to Struts is recommended.

Affected Software

Struts 2.0.0 - Struts Struts


Huawei PSIRT Team

CVE Identifier



TextParseUtil.translateVariables evaluates a given String with OGNL. Before Struts 2.3.20, a specially crafted String incorporating ANTLR tooling can, when passed to said method, cause a remote code execution.

The Struts 2 framework does not pass any user modifiable input to this method, neither directly nor indirectly. However, a developer crafting a Struts based web application might pass unsanitized user input to TextParseUtil.translateVariables or ActionSupport's getText methods. In that case a RCE exploitation might be possible.


  • don't pass unsanitized user input to framework methods that include OGNL expression evaluation
  • upgrade to Struts Since Struts 2.3.20 advanced filtering was applied to this and similar methods involving OGNL evaluation.


  • No labels