Struts S2-069 (CVE-2025-68493): The Undying Ghost of XML Parsing Past
Jan 13, 2026·6 min read·50 visits
Executive Summary (TL;DR)
A critical XXE flaw in Apache Struts versions 6.0.0 through 6.1.0 (and older EOL versions) allows attackers to weaponize XML configuration parsing. By injecting malicious DTDs, attackers can exfiltrate sensitive files (/etc/passwd) or pivot into internal networks via SSRF. The fix involves upgrading to 6.1.1, which explicitly disables unsafe XML features in the SAXParserFactory.
Apache Struts has returned to the spotlight with S2-069, a classic XML External Entity (XXE) vulnerability residing in the XWork component. Despite being 2026, the framework's core configuration parser failed to disable external entity resolution, allowing attackers with control over configuration inputs to read local files, trigger SSRF, or cause Denial of Service.
Official Patches
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Apache Struts Apache | >= 2.0.0, <= 2.3.37 | N/A (EOL) |
Apache Struts Apache | >= 2.5.0, <= 2.5.33 | N/A (EOL) |
Apache Struts Apache | >= 6.0.0, <= 6.1.0 | 6.1.1 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (XML Configuration Injection) |
| CVSS v3.1 | 8.1 (High) |
| CWE ID | CWE-611 (XXE) |
| Impact | Information Disclosure, SSRF, DoS |
| EPSS Score | 0.00037 (Low Probability) |
| Exploit Status | Proof of Concept (PoC) Available |
MITRE ATT&CK Mapping
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.