Vulnerability Management, Data Security, Patch/Configuration Management

Data theft, SSRF intrusions likely with critical Apache Struts 2 bug

Multiple iterations of the Apache Struts 2 open-source web application framework have been impacted by the high-severity XML external entity injection vulnerability, tracked as CVE-2025-68493, which could be exploited to facilitate data exposure, as well as denial-of-service and server-side request forgery intrusions, GBHackers News reports.

Attackers could leverage the flaw, which was discovered by ZAST.AI researchers to have originated from improper XML configuration parsing validation within the framework's XWork component, to create illicit XMLs resulting in external entity processing for local file and internal resource compromise, sensitive data theft, and service disruptions.

Organizations and developers using Apache Struts 2 have been advised to immediately update to version 6.1.1 or later to mitigate potential compromise, while those that cannot do so have been urged to either implement a custom SAXParserFactory that deactivates external entities or establish JVM-level system properties that prohibit external schemas, DTDs, and stylesheets.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds