We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-54656

Apache Struts Extras: Improper Output Neutralization for Logs



Description

** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).  As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Reserved 2025-07-28 | Published 2025-07-30 | Updated 2025-07-30 | Assigner apache

Problem types

CWE-117 Improper Output Neutralization for Logs

Product status

Default status
unaffected

Any version before 2
affected

Credits

Ryan Murphy of HeroDevs finder

References

lists.apache.org/thread/so5cn07j2zn9vlf1xnfqp630wts719rr vendor-advisory

cve.org (CVE-2025-54656)

nvd.nist.gov (CVE-2025-54656)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-54656

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.