CVE-2025-68493 - Missing XML Validation in Apache Struts – What You Should Know and How to Stay Safe

In June 2024, a serious security vulnerability, identified as CVE-2025-68493, was disclosed in Apache Struts. This vulnerability is caused by missing XML validation, which can allow attackers to inject harmful XML data into applications, potentially leading to severe consequences like data exposure, Denial of Service (DoS), or even remote code execution (RCE).

This post explains what this vulnerability is, who is affected, how attacks can happen, and—most importantly—how you can protect your applications from it. This information is exclusive and easy to understand for anyone working with Struts or similar technologies.

Apache Struts 2.2.1 – 6.1.

If your version falls between 2.. and 6.1. (inclusive), you are at risk.
The only safe release is Apache Struts 6.1.1 or later.

XML input sent to your web application is not properly checked,

- Dangerous XML features like Entity Expansion (for XXE attacks) or External Entity Loading can be abused,

Why Does XML Validation Matter?

When an app works with XML files, it should verify the structure and content. If it doesn't, hackers can send malicious XML payloads, creating havoc through:

- XXE (XML External Entity) Attacks

Let’s say your Struts app accepts XML upload or XML API input

import com.opensymphony.xwork2.ActionSupport;
import java.io.InputStream;

// Simplified Struts action class
public class MyXMLAction extends ActionSupport {
    private InputStream xmlFile;

    public void setXmlFile(InputStream xmlFile) {
        this.xmlFile = xmlFile;
    }

    public String execute() throws Exception {
        // UNSAFE: No validation/sanitization of XML input!
        javax.xml.parsers.DocumentBuilderFactory factory = 
           javax.xml.parsers.DocumentBuilderFactory.newInstance();
        return "success";
    }
}

If you don't enable secure XML parsing or validate input, an attacker can send something like

<?xml version="1."?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<root>&xxe;</root>

This will include the contents of your Linux system password file! With no validation, Struts will process it.

They submit the malicious XML shown above.

3. If the app returns the parsed content, the attacker gets your server’s file contents in the response.
4. Or, the attacker submits a "Billion Laughs" payload (a type of XML bomb) and the server’s memory spikes, causing Denial of Service.

How to Fix and Stay Safe

The only secure fix:
Upgrade to Apache Struts 6.1.1 or newer.
The new version adds strict XML validation and disables dangerous features by default.

- Download here: https://struts.apache.org/download.cgi

For older versions (not recommended!):

`java

factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

More Reading

- Official Struts Security Bulletin: struts.apache.org/security.html
- Announcing Struts 6.1.1 Release: Release Notes
- What is XXE Attack? PortSwigger Web Security

Conclusion

CVE-2025-68493 is a clear example of how missing input validation in a popular web framework can create devastating security risks. If you use Apache Struts, act immediately—upgrade to 6.1.1.

Don’t leave your app open to attack. Share this information and help keep everyone’s applications safer!


Stay secure! If you have questions, feel free to contact the Struts team or check your dependency management now.


*Exclusive write-up for 2024. Please link back if you share.*

Timeline

Published on: 01/11/2026 13:05:36 UTC
Last modified on: 01/16/2026 14:31:16 UTC