CVE-2025-54656 Information

Jul 31, 2025 cve

Description

UNSUPPORTED WHEN ASSIGNED Improper Output Neutralization for Logs vulnerability in Apache Struts.

This issue affects Apache Struts Extras: before 2.

When using LookupDispatchAction in some cases Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line confusing consumers of the logs (either human or automated). 

As this project is retired we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Reference

https://lists.apache.org/thread/so5cn07j2zn9vlf1xnfqp630wts719rr

CNNVD-202507-3791 (Published: 2025-07-30)

Share on: