CVE-2025-68493

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.0 before 2.2.1 Apache Struts versions 2.2.1 through 6.1.0

Description The issue is a missing XML validation in Apache Struts, specifically within the XWork component. This allows for XML External Entity (XXE) injection attacks. An attacker can exploit this to read sensitive files, potentially trigger Server-Side Request Forgery (SSRF), or cause a denial-of-service. The flaw resides in the unconfigured SAX parser within DomHelper. Approximately 2.4 million instances have been identified. The vulnerability allows attackers to process external entities in crafted XML input.

Recommendations Upgrade to version 6.1.1 or later to resolve the issue. For deployments that cannot be immediately patched, disable external entity processing via a custom SAXParserFactory or JVM properties.