Outdated Apache Struts versions see spike in downloads, posing security risk

HackRead reports that cybersecurity researchers at Sonatype have identified a significant surge in downloads of outdated Apache Struts versions, indicating potential widespread vulnerability in software supply chains.

The issue centers on a flaw, CVE-2025-68493, found in the XWork component, which involves unsafe XML parsing. This vulnerability allows attackers to trigger an infinite loop by sending crafted input, consuming CPU and memory until the system crashes. The flaw affects versions from 2.0.0 through 6.1.0, carrying a high severity score of 8.8. In one week, over 387,000 downloads of these vulnerable versions occurred, with 98% being End-of-Life (EOL) versions, such as Struts 2.3, which have not received official updates in over 2,200 days. The secure version, Struts 6.1.1, which includes stricter parser hardening, has seen minimal adoption, accounting for only 1.8% of downloads.

This situation highlights the critical challenge of managing legacy software and the "dead software problem" in cybersecurity. The widespread use of unsupported and vulnerable components creates a significant attack surface for organizations. The lag between vulnerability disclosure and the adoption of secure versions, exacerbated by the speed of AI-driven vulnerability discovery, leaves many systems exposed. It underscores the urgent need for organizations to audit their software dependencies and proactively migrate to supported versions to mitigate risks from deeply embedded outdated code.

Source: HackRead