File upload logic is flawed vulnerability in Apache Struts. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.

This issue affects Apache Struts: from 2.0.0 before 6.4.0.

Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload. If you are not using an old file upload logic based on FileuploadInterceptor your application is safe.

You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 .

Affected Packages

Maven org.apache.struts:struts2-core

Affected versions: 0 (fixed in 6.4.0)

Related CVEs

CVE-2024-53677

Key Information

GHSA ID

GHSA-43mq-6xmg-29vm

Published

December 11, 2024 6:30 PM

Last Modified

July 15, 2025 11:05 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.struts:struts2-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 10, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.