Apache Struts 2 vulnerability discovered, as proof of concept circulates

A new vulnerability in the Struts 2 web application framework can potentially enable a remote attacker to execute code on systems running apps based on earlier versions of the software.

The vulnerability, announced this week by Apache, involves a potential attacker manipulating file upload parameters in what is referred to as a path traversal attack. Path traversal is a broad term, according to Akamai senior security researcher Sam Tinklenberg.

“In this case, the use of path traversals allows an attacker to upload a malicious file, most likely a webshell, outside of the normal upload directory,” he said. “The exact location will differ from application to application and must be a valid path which can be accessed from the internet.”

The flaw affects only older versions of the Struts 2 framework, and upgrading to versions 2.5.33, 6.3.0.2 or greater should eliminate the possibility of exploitation. It was first reported by researcher Steven Seeley.

Struts’ maintainers at the Apache Software Foundation urged users to patch immediately, saying that the update is “a drop-in replacement, and upgrade should be straightforward.”

Adding urgency to the need to patch is the news that proof of concept code has been spotted in the wild. A post from the Shadowserver Foundation, a nonprofit security group that bills itself as a leading reporter and tracker of malicious internet activity, on X (formerly Twitter), said that PoC code has been seen on sensors.