DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-68493: Struts S2-069 (CVE-2025-68493): The Undying Ghost of XML Parsing Past

#security #cve #cybersecurity

Struts S2-069 (CVE-2025-68493): The Undying Ghost of XML Parsing Past

Vulnerability ID: CVE-2025-68493
CVSS Score: 8.1
Published: 2026-01-11

Apache Struts has returned to the spotlight with S2-069, a classic XML External Entity (XXE) vulnerability residing in the XWork component. Despite being 2026, the framework's core configuration parser failed to disable external entity resolution, allowing attackers with control over configuration inputs to read local files, trigger SSRF, or cause Denial of Service.

TL;DR

A critical XXE flaw in Apache Struts versions 6.0.0 through 6.1.0 (and older EOL versions) allows attackers to weaponize XML configuration parsing. By injecting malicious DTDs, attackers can exfiltrate sensitive files (/etc/passwd) or pivot into internal networks via SSRF. The fix involves upgrading to 6.1.1, which explicitly disables unsafe XML features in the SAXParserFactory.

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Network (XML Configuration Injection)
  • CVSS v3.1: 8.1 (High)
  • CWE ID: CWE-611 (XXE)
  • Impact: Information Disclosure, SSRF, DoS
  • EPSS Score: 0.00037 (Low Probability)
  • Exploit Status: Proof of Concept (PoC) Available

Affected Systems

  • Apache Struts 2.0.0 - 2.3.37 (EOL)
  • Apache Struts 2.5.0 - 2.5.33 (EOL)
  • Apache Struts 6.0.0 - 6.1.0
  • Apache Struts: >= 2.0.0, <= 2.3.37 (Fixed in: N/A (EOL))
  • Apache Struts: >= 2.5.0, <= 2.5.33 (Fixed in: N/A (EOL))
  • Apache Struts: >= 6.0.0, <= 6.1.0 (Fixed in: 6.1.1)

Exploit Details

  • GitHub Gist: Analysis and potential PoC vectors for S2-069

Mitigation Strategies

  • Upgrade to Apache Struts 6.1.1+
  • Disable external entities via JVM system properties
  • Implement WAF rules blocking XML DOCTYPE declarations

Remediation Steps:

  1. Identify all instances of struts2-core in your dependency tree (Maven/Gradle).
  2. Update the version to 6.1.1 or the latest stable release.
  3. Rebuild and deploy the application.
  4. Validate the fix by attempting a harmless XXE injection against a test environment.

References

Read the full report for CVE-2025-68493 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)