CVE-2025-68493 is a recently published security vulnerability in the widely used Apache Struts framework, affecting a broad range of versions and posing serious risks to applications that process XML data. The flaw was officially published on January 11, 2026, and has sparked urgent attention across the cybersecurity community.

What Is the Vulnerability?

CVE-2025-68493 stems from missing XML validation in Apache Struts’ XWork component, a core part of the framework responsible for parsing XML configuration files. Due to incomplete or improper validation of XML input, the software can process maliciously crafted XML containing external entities. This enables classic XML External Entity (XXE) injection attacks, which can be used to manipulate application behavior and compromise data.

In technical terms, this vulnerability is associated with CWE-112 (Missing XML Validation).

Who Is Affected?

The flaw affects nearly all maintained versions of Apache Struts from early legacy branches up through recent releases:

• Struts 2.0.0 up to but before 2.2.1
• Struts 2.2.1 through 6.1.0

These ranges include both end-of-life versions and fully supported releases. Because Struts is deeply embedded in many enterprise Java applications — from legacy internal systems to modern web services — the potential exposure footprint is broad and diverse.

Potential Security Impacts

If successfully exploited, CVE-2025-68493 can have serious consequences for affected applications:

• Sensitive Data Exposure: Attackers can craft XML inputs that cause the application to read internal files or configuration data not intended for external access.
• Server-Side Request Forgery (SSRF): Vulnerable systems may be manipulated to send unauthorized requests to internal services behind firewalls.
• Denial of Service (DoS): Malformed XML payloads can overwhelm parsers or cause application crashes, resulting in service disruption.

The vulnerability does not require user authentication, meaning exploitation could be remotely initiated against exposed endpoints that accept XML input.

Why It Matters

Apache Struts is a foundational open-source web application framework used by thousands of organizations around the world. Its flexibility and extensibility — especially around configuration via XML — have made it a staple for enterprise Java developers. However, this legacy XML usage also brings risk, as parser misconfiguration or lack of validation can expose critical systems to attackers.

The discovery of CVE-2025-68493 underscores the broader danger of insecure XML handling in widely deployed software and the ongoing need for rigorous input validation. Attackers routinely target such weaknesses in mature frameworks, given their ubiquitous presence and deep integration into business systems.

Mitigation and Remediation

The Apache Software Foundation has issued an official mitigation path:

• Upgrade to Apache Struts 6.1.1 or later: The security issue is fixed in these released versions and is backward compatible with existing applications.

For organizations unable to apply the patch immediately, there are temporary defenses:

• Disable external entities: Configure XML parsers at the JVM level with properties that block external DTDs and schemas (e.g., -Djavax.xml.accessExternalDTD="").
• Custom SAXParserFactory: Override the default XML parser factory to disable external entity resolution.

These workarounds help reduce the attack surface while longer-term patching plans are implemented.

Response and Recommendations

Security teams and developers should take the following steps:

1. Inventory all Struts deployments: Identify applications using versions within the vulnerable range.
2. Apply the update promptly: Upgrading to Struts 6.1.1 or higher should be prioritized.
3. Harden XML processing: Even after patching, adopt secure XML parsing practices across your stack.
4. Monitor for exploitation attempts: Watch for unusual access patterns, particularly XML-formatted requests to public endpoints.