Multiple iterations of the Apache Struts 2 open-source web application framework could be at risk from an XML external entity injection vulnerability, tracked as CVE-2025-68493.
Multiple iterations of the Apache Struts 2 open-source web application framework have been impacted by the high-severity XML external entity injection vulnerability, tracked as CVE-2025-68493.
The vulnerability could be exploited to facilitate data exposure, as well as denial-of-service and server-side request forgery intrusions, GBHackers News reports.
Attackers could leverage the flaw, which ZAST.AI researchers said originated from improper XML configuration parsing validation within the framework's XWork component, to create illicit XMLs resulting in external entity processing for local file and internal resource compromise, sensitive data theft, and service disruptions.
Organizations and developers using Apache Struts 2 have been advised to immediately update to version 6.1.1 or later to mitigate potential compromise.
Those that cannot do so have been urged to either implement a custom SAXParserFactory that deactivates external entities or establish JVM-level system properties that prohibit external schemas, DTDs, and stylesheets.
Sharon Florentine is the editorial director for CyberRisk Alliance’s Channel Brands and acting editorial director for SC UK. She is responsible for setting strategy and editorial direction and developing content for news, features, analysis and other written content, moderates live webcasts, and oversees research projects. Sharon has previously held key editorial, content and leadership positions at DevOps.com, Security Boulevard, CIO.com, Ziff Davis Enterprise, and CRN, among others.
Sharon Florentine is the editorial director for CyberRisk Alliance’s Channel Brands and acting editorial director for SC UK. She is responsible for setting strategy and editorial direction and developing content for news, features, analysis and other written content, moderates live webcasts, and oversees research projects. Sharon has previously held key editorial, content and leadership positions at DevOps.com, Security Boulevard, CIO.com, Ziff Davis Enterprise, and CRN, among others.
An error occurred trying to play the stream. Please reload the page and try again.
CloseRegistering with SC Media is 100% free. Join tens of thousands of cybersecurity leaders today and gain access to the latest analysis shaping the global infosec agenda.
