An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

Affected Packages

Maven org.apache.struts:struts2-core

Affected versions: 2.0.0 (fixed in 2.5.33)

Maven org.apache.struts:struts2-core

Affected versions: 6.0.0 (fixed in 6.3.0.2)

Related CVEs

CVE-2023-50164

Key Information

GHSA ID

GHSA-2j39-qcjm-428w

Published

December 7, 2023 9:30 AM

Last Modified

February 13, 2025 7:28 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.struts:struts2-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.