The Struts 1 plugin used with Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

Affected Packages

Maven org.apache.struts:struts2-struts1-plugin

Affected versions: 0 (last affected: 2.3.37)

Related CVEs

CVE-2017-9791

Key Information

GHSA ID

GHSA-29rm-6752-gvwv

Published

May 13, 2022 1:26 AM

Last Modified

January 23, 2025 10:21 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.struts:struts2-struts1-plugin

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 21, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.