SummaryA remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin
Who should read this
All Struts 2 developers and users
Impact of vulnerability
A DoS attack is possible when using outdated XStream library with the Struts REST plugin
Maximum security rating
Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12
Huijun Chen, Xiaolong Zhu
The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.
Upgrade to Apache Struts version 2.5.13 or 2.3.34.
No backward incompatibility issues are expected.
When using Maven, you can exclude the XStream library and use the latest 1.4.10 version. In other case replace the XStream jar in your final distribution package.