6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54656

GHSA ID

GHSA-cx25-xg7c-xfm5

EPSS Score

CWE

CWE-117

Published

7/30/2025

Updated

7/30/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54656

CVE-2025-54656: Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability

** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts.

This issue affects Apache Struts Extras: before 2.

When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54656

GHSA ID

GHSA-cx25-xg7c-xfm5

EPSS Score

CWE

CWE-117

Published

7/30/2025

Updated

7/30/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.struts:struts-extras	maven	<= 1.3.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the LookupDispatchAction class within the Apache Struts Extras library. The getMethodName method retrieves a parameter value from the HTTP request and uses it to look up a method to execute. This parameter value is passed as keyName to the getLookupMapName method. If the keyName is not found in the lookup map, it is logged using LOG.error. Because the keyName is not sanitized before being logged, an attacker can inject newline characters and forge log entries. This can be used to confuse log monitoring systems or hide other malicious activities. The vulnerable code is present in version 1.3.10 and older of struts-extras. As the library is no longer maintained, there is no official patch for this vulnerability.

Vulnerable functions

org.apache.struts.actions.LookupDispatchAction.getLookupMapName

extras/src/main/java/org/apache/struts/actions/LookupDispatchAction.java

The 'keyName' variable, which is derived from a user-provided request parameter, is logged without any sanitization. An attacker can provide a malicious 'keyName' containing newline characters to inject fake log entries.

WAF Protection Rules

WAF Rule

** UNSUPPORT** W**N *SSI*N** ** Improp*r Output N*utr*liz*tion *or Lo*s vuln*r**ility in *p**** Struts. T*is issu* *****ts *p**** Struts *xtr*s: ***or* *. W**n usin* Lookup*isp*t****tion, in som* **s*s, Struts m*y print untrust** input to t** lo*s

Reasoning

T** vuln*r**ility *xists in t** `Lookup*isp*t****tion` *l*ss wit*in t** *p**** Struts *xtr*s li*r*ry. T** `**tM*t*o*N*m*` m*t*o* r*tri*v*s * p*r*m*t*r v*lu* *rom t** *TTP r*qu*st *n* us*s it to look up * m*t*o* to *x**ut*. T*is p*r*m*t*r v*lu* is p*s

6.5

Basic Information

Concerned about an active attack path?

CVE-2025-54656: Apache Struts Extras Before 2 has an Improper Output Neutralization for Logs Vulnerability

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI