Headline

GHSA-cx25-xg7c-xfm5: Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability

** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts.

This issue affects Apache Struts Extras: before 2.

When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

20 hours ago

ghsa

Open in Source

#vulnerability #apache #git #java #maven

GitHub Advisory Database
GitHub Reviewed
CVE-2025-54656

Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability

Moderate severity GitHub Reviewed Published Jul 30, 2025 to the GitHub Advisory Database • Updated Jul 30, 2025

Package

maven org.apache.struts:struts-extras (Maven)

Affected versions

<= 1.3.10

** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts.

This issue affects Apache Struts Extras: before 2.

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References