Child pages
  • S2-049
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »


A DoS attack is available for Spring secured actions

Who should read this

All Struts 2 developers and users

Impact of vulnerability

A DoS attack is available for Spring secured actions

Maximum security rating



Upgrade to Struts 2.5.11

Affected Software

Struts 2.5 - Struts 2.5.10


 Yasser Zamani <yasser dot zamani at live dot com>

CVE Identifier



When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack when user was properly authenticated


Upgrade to Apache Struts version 2.5.11.

Backward compatibility

No backward incompatibility issues are expected.


Please define the below constant in a struts.xml file:

<constant name="struts.additional.excludedPatterns" value=".\.accessDecisionManager\.." />



  • No labels