Please visit the Releases page to see full information about each version and what potential vulnerability it can have:
| Version | Supported |
|---|---|
| 7.x | ✅ |
| 6.7.x | ✅ |
| 2.5.x | ❌ |
(original)
The Apache Struts project takes a very active stance in eliminating security problems and denial of service attacks against applications using the Apache Struts framework.
We strongly encourage folks to report such security problems to our private security mailing list first, before disclosing them in a public forum.
We cannot accept regular bug reports or other queries at this address, we ask that you use our issue tracker (JIRA) for those.
All mail sent to this address that does not relate to security problems in the Apache Struts source code will be ignored
Note that all networked servers are subject to denial of service attacks, and we cannot promise magic workarounds to generic problems (such as a client streaming lots of data to your server or requesting the same URL repeatedly). In general, our philosophy is to avoid any attacks that can cause the server to consume resources in a non-linear relationship to the size of inputs.
The mailing address is: security@struts.apache.org
General network server security tips
Before sending a vulnerability report, run through the following checks. They exist to prevent duplicate reports, public disclosure of untriaged issues, and reports for behavior that is already documented as insecure configuration.
Confirm:
- which Struts versions are currently supported (see Supported Versions),
- where reports must be sent (see Reporting New Security Issues),
- which reports do not belong on the private security list.
Review the Struts security guidance and determine whether the finding is already covered by documented secure configuration or application guidance, including but not limited to:
- Config Browser Plugin exposure,
- direct JSP access,
devModeis required to exploit the vulnerability,@StrutsParameterusage and parameter annotation requirements,- unsafe setters or getters exposed to request parameters,
- use of incoming values in localization or forced OGNL evaluation,
- raw JSP EL expressions,
- custom error pages,
- Dynamic Method Invocation and Strict Method Invocation,
- accepted and excluded parameter patterns,
- Fetch Metadata, COOP, and COEP protections,
- OGNL sandboxing, allowlists, excluded classes/packages, and OGNL Guard settings.
If the behavior is caused by an application ignoring documented security guidance, that is not an Apache Struts framework vulnerability.
Compare the finding against already disclosed Struts vulnerabilities — affected versions, impact ratings, mitigations, and fixed versions:
If the finding overlaps with a known vulnerability, link to the existing bulletin, advisory, CVE, or release notes instead of drafting a new report.
Before drafting a report, confirm:
- Is the affected version supported?
- Is the behavior in Apache Struts framework code, rather than only in an application using Struts?
- Is it already documented as insecure configuration or unsupported usage?
- Is it a duplicate of a previously disclosed vulnerability or Security Bulletin?
- Can the impact be demonstrated with a minimal, self-contained reproduction?
Only proceed with a private report when these answers still point to a likely new vulnerability in the framework.
A useful private report includes:
- affected Struts version or version range,
- affected component or module,
- required application configuration, if any,
- minimal reproduction steps,
- expected behavior,
- actual behavior,
- demonstrated security impact,
- whether authentication or special privileges are required,
- proposed fix or mitigation, if known.
Do not speculate beyond what can be demonstrated. If severity is uncertain, say so explicitly.
- One vulnerability per report.
- Keep reproduction steps minimal and self-contained.
- Do not include unrelated findings.
- Do not publish exploit details or proof-of-concept code publicly before the Struts project has triaged the issue. Pushing a PoC to a public GitHub repository, gist, fork, or branch counts as public disclosure — even a "test" or throwaway repo. Private repositories are acceptable for sharing a PoC, but access must be granted individually to each PMC member who will triage the report.
- Do not send ordinary bugs, usage questions, or generic denial-of-service concerns to the private security list.
- If the issue is not a vulnerability in Apache Struts source code, use the appropriate public support or issue channel instead.