Multiple iterations of the Apache Struts 2 open-source web application framework have been impacted by the high-severity XML external entity injection vulnerability, tracked as CVE-2025-68493, which could be exploited to facilitate data exposure, as well as denial-of-service and server-side request forgery intrusions, GBHackers News reports.Attackers could leverage the flaw, which was discovered by ZAST.AI researchers to have originated from improper XML configuration parsing validation within the framework's XWork component, to create illicit XMLs resulting in external entity processing for local file and internal resource compromise, sensitive data theft, and service disruptions.Organizations and developers using Apache Struts 2 have been advised to immediately update to version 6.1.1 or later to mitigate potential compromise, while those that cannot do so have been urged to either implement a custom SAXParserFactory that deactivates external entities or establish JVM-level system properties that prohibit external schemas, DTDs, and stylesheets.
Vulnerability Management, Data Security, Patch/Configuration Management
Data theft, SSRF intrusions likely with critical Apache Struts 2 bug

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



