Apache Struts versions prior to 2.3.32 and 2.5.10.1 contain incorrect exception handling and error-message generation during file-upload attempts using the Jakarta Multipart parser, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Affected Packages

Maven org.apache.struts:struts2-core

Affected versions: 2.3.0 (fixed in 2.3.32)

Maven org.apache.struts:struts2-core

Affected versions: 2.5.0 (fixed in 2.5.10.1)

Related CVEs

CVE-2017-5638

Key Information

GHSA ID

GHSA-j77q-2qqg-6989

Published

October 18, 2018 7:24 PM

Last Modified

July 25, 2024 8:18 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.struts:struts2-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 19, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.