Improper Output Neutralization Vulnerability in Apache Struts by Apache
CVE-2025-54656

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Struts Extras
Vendor: CVE Published:; 30 July 2025

What is CVE-2025-54656?

A vulnerability in Apache Struts related to improper output neutralization for logs allows untrusted input to be printed to logs without filtering. This can result in log entries that may be misleading, as specially-crafted input can cause parts of the message to be misinterpreted as separate log lines. This issue affects earlier versions of Apache Struts Extras, which are no longer maintained. It is crucial for users to restrict access to affected instances or consider migrating to supported alternatives to mitigate risks associated with this vulnerability.

Affected Version(s)

Apache Struts Extras 0 < 2

References

https://lists.apache.org/thread/so5cn07j2zn9vlf1xnfqp630w...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 30, 2025

JSON