Child pages
  • S2-044
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »


Possible DoS attack when using URLValidator

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible DoS attack when using URLValidator

Maximum security rating



Upgrade to Struts 2.3.32 or Struts 2.5.6

Affected Software

Struts 2.3.20 - 2.3.31, Struts 2.5 - Struts 2.5.5


 Jonathan Bullock <jonbullock at gmail dot com>

CVE Identifier



If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.


Upgrade to Apache Struts version 2.5.6.

Backward compatibility

No backward incompatibility issues are expected.


Trim passed value before assigning it to a field, e.g.

public String setUserUrl(String userUrl) {
    this.userUrl = userUrl.trim();
  • No labels