CVE-2025-54656
BaseFortify
Publication date: 2025-07-30
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | struts_extras | to 2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-117 | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Output Neutralization for Logs issue in Apache Struts Extras before version 2. When using LookupDispatchAction, Struts may log untrusted input without filtering it properly. This can allow specially-crafted input to appear in the logs as if it were separate log lines, potentially confusing those who read or process the logs.
How can this vulnerability impact me? :
The vulnerability can cause log entries to be misleading or confusing by allowing attackers to inject crafted input that appears as separate log lines. This can hinder log analysis, potentially masking malicious activity or causing misinterpretation of log data. Since the affected product is retired and no fix will be released, users should either switch to alternatives or restrict access to trusted users to mitigate risk.
What immediate steps should I take to mitigate this vulnerability?
Since Apache Struts Extras before version 2 is affected and no fix will be released due to the project being retired, immediate mitigation steps include finding an alternative to this software or restricting access to the affected instance to trusted users only.