** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts.

This issue affects Apache Struts Extras: before 2.

When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated). 

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 06 Aug 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache struts Extras
CPEs cpe:2.3:a:apache:struts_extras:*:*:*:*:*:*:*:*
Vendors & Products Apache struts Extras

Thu, 31 Jul 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache struts
Vendors & Products Apache
Apache struts

Wed, 30 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 30 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Description ** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).  As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Title Apache Struts Extras: Improper Output Neutralization for Logs
Weaknesses CWE-117
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-07-30T17:33:03.340Z

Reserved: 2025-07-28T09:03:13.122Z

Link: CVE-2025-54656

cve-icon Vulnrichment

Updated: 2025-07-30T17:29:19.141Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-30T16:15:28.693

Modified: 2025-08-06T13:52:03.277

Link: CVE-2025-54656

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-31T10:09:18Z