share your technology and add some temperature for safety

Posted by deaguero at 2020-04-09

Struts 2 critical Remote Code Execution Vulnerability cve-2017-9805

All struts 2 developers and users

Vulnerability impact:

When using struts rest plug-in with xStream handler to process XML payload, remote code execution attack security level may occur



Upgrade to struts 2.5.13

Affected version

CVE number



Upgrade to Apache struts version 2.5.13

  Backward compatibility

Some rest actions may stop working due to the default restrictions applied to available classes. In this case, investigate the new interfaces introduced to allow class restrictions for each operation to be defined, which are:


The best option is to remove the struts rest plug-in when it is not used, or when it is limited to server normal pages and JSON only

Affected version:

Struts 2.5 - Struts 2.5.12

Circumvention scheme

Upgrade to struts 2.5.13 now.


The default restriction policy used in the new version will cause some functions of rest to stop working and affect some businesses. The following new interfaces are recommended: