CVE-2024-53677 - How a Dangerous File Upload Bug in Apache Struts Can Lead to Remote Code Execution

TL;DR:
Apache Struts had a severe vulnerability (CVE-2024-53677) in its file upload logic, present from version 2.. up to (but not including) 6.4.. This bug could let a hacker upload files with path traversal, possibly leading to Remote Code Execution (RCE). If you use Struts and the old FileuploadInterceptor system, you need to upgrade to 6.4.+ ASAP, and migrate to the latest upload system. See official docs here and full advisory.

Background: What is CVE-2024-53677?

Apache Struts is a popular Java web framework. File uploads are a common feature in web apps, but they're risky if not handled right. CVE-2024-53677 reveals a flaw in how old versions of Struts processed upload parameters: it was possible for attackers to manipulate filename or upload paths, causing the application to write files in unintended directories.

In some cases, this lets attackers write web shells (malicious server-side scripts), config files, or other dangerous payloads to locations where the web server may execute them—leading to full Remote Code Execution (RCE).

You are NOT affected if

- You are already using Struts' new file upload mechanism (see the new documentation)

The Vulnerability: Path Traversal Via File Upload

The core issue is improper sanitization of file paths from upload parameters. With a crafted HTTP POST request (usually multipart/form-data), an attacker can supply a filename containing sequences like ../ to break out of the intended upload directory.

Example Malicious Upload Request

POST /upload.action HTTP/1.1
Host: vulnerable-struts.example.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXYZ

------WebKitFormBoundaryXYZ
Content-Disposition: form-data; name="file"; filename="../../../../../../var/www/html/shell.jsp"
Content-Type: application/octet-stream

<jsp code or malicious payload here>
------WebKitFormBoundaryXYZ--

What happens:
If the server copies this file using the supplied path, the payload lands outside the upload folder, potentially in a web-accessible directory or another sensitive location.

Here’s a simplified example of vulnerable Java code pattern

public String uploadFile(File file, String fileName) throws IOException {
    // BAD - does not sanitize fileName!
    File uploadDir = new File("/var/www/uploads");
    File destination = new File(uploadDir, fileName);

    // This allows path traversal: fileName = "../../webapps/ROOT/shell.jsp"
    Files.copy(file.toPath(), destination.toPath(), StandardCopyOption.REPLACE_EXISTING);
    return "success";
}

How it’s exploited:

- Attacker uploads the file as '../../webapps/ROOT/shell.jsp'.
- File is written to /var/www/webapps/ROOT/shell.jsp.

Suppose there’s a public file upload form in a Struts-based web app

<form method="POST" enctype="multipart/form-data" action="/upload.action">
  <input type="file" name="file">
  <button type="submit">Upload</button>
</form>

An attacker crafts a malicious upload using cURL

curl -F "file=@shell.jsp;filename=../../../../webapps/ROOT/shell.jsp" https://target.com/upload.action

- If successful: Visiting https://target.com/shell.jsp now runs the attacker's code.

Upgrade to Apache Struts at least 6.4.

- Migrate to the new file upload mechanism. See migration guide.

If you can’t upgrade instantly

1. Block dangerous filenames: Strip or deny file names with ../, absolute paths, and unsafe extensions.

`java

if (fileName.contains("..") || fileName.startsWith("/")) {

throw new SecurityException("Invalid filename!");

}

Whitelist valid extensions: Only allow expected file types (e.g. .jpg, .png).

3. Upload outside the webroot: Do *not* save uploaded files in directories directly served by the webserver.

References and More Reading

- Official Apache Struts Security Bulletin: S2-067
- Struts File Upload Documentation (new mechanism)
- CVE Record (as published)

Conclusion

File upload vulnerabilities are among the most dangerous in web development, and this CVE is a prime example. If you use Apache Struts and handle file uploads, stop what you’re doing and upgrade to 6.4. or later. Make sure you are not relying on legacy upload logic. Vulnerable setups could let attackers fully compromise your server.

Patch now, audit your file upload code, and review your server logs for suspicious uploads!

---

Questions or comments? Let me know below!

*(This write-up is based on the latest info as of June 2024. Always refer to official advisories for updates.)*

Timeline

Published on: 12/11/2024 16:15:14 UTC
Last modified on: 01/03/2025 12:15:26 UTC