Miggo Logo

CVE-2025-54656: Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability

6.5

CVSS Score
3.1

Basic Information

EPSS Score
-
Published
7/30/2025
Updated
7/30/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts-extrasmaven<= 1.3.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in the LookupDispatchAction class within the Apache Struts Extras library. The getMethodName method retrieves a parameter value from the HTTP request and uses it to look up a method to execute. This parameter value is passed as keyName to the getLookupMapName method. If the keyName is not found in the lookup map, it is logged using LOG.error. Because the keyName is not sanitized before being logged, an attacker can inject newline characters and forge log entries. This can be used to confuse log monitoring systems or hide other malicious activities. The vulnerable code is present in version 1.3.10 and older of struts-extras. As the library is no longer maintained, there is no official patch for this vulnerability.

Vulnerable functions

org.apache.struts.actions.LookupDispatchAction.getLookupMapName
extras/src/main/java/org/apache/struts/actions/LookupDispatchAction.java
The 'keyName' variable, which is derived from a user-provided request parameter, is logged without any sanitization. An attacker can provide a malicious 'keyName' containing newline characters to inject fake log entries.

WAF Protection Rules

WAF Rule

** UNSUPPORT** W**N *SSI*N** ** Improp*r Output N*utr*liz*tion *or Lo*s vuln*r**ility in *p**** Struts. T*is issu* *****ts *p**** Struts *xtr*s: ***or* *. W**n usin* Lookup*isp*t****tion, in som* **s*s, Struts m*y print untrust** input to t** lo*s

Reasoning

T** vuln*r**ility *xists in t** `Lookup*isp*t****tion` *l*ss wit*in t** *p**** Struts *xtr*s li*r*ry. T** `**tM*t*o*N*m*` m*t*o* r*tri*v*s * p*r*m*t*r v*lu* *rom t** *TTP r*qu*st *n* us*s it to look up * m*t*o* to *x**ut*. T*is p*r*m*t*r v*lu* is p*s