Apache Struts2 S2-052 RCE

Nash N Sulthan
Published on
16 Jun 2021

Apache Struts 2 is a sophisticated, extensible platform for developing enterprise-grade Java web applications. The bug is caused by improper deserialization in the Java Struts REST plugin. When deserializing XML payloads, the REST Plugin in Apache Struts 2.1.2 through 2.3.x prior to 2.3.34 and 2.5.x prior to 2.5.13 employs a XStreamHandler with an instance of XStream without any type filtering, which can result in Remote Code Execution.Remote code execution is possible because the Struts REST plugin does not have input validation or sanitization.

Mitigation / Precaution

  • If your web application server is running one of the affected versions, please upgrade it as soon as possible to Struts 2.3.34 or Struts 2.5.13.
  • Other alternative is to restrict the plugin mostly to server normal pages and JSONs
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment