CVE-2017-5638

CVE-2017-5638 is a critical-severity vulnerability in Apache Struts with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-755.

Key facts

Description

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

CVE-2017-5638: Apache Struts 2 Jakarta Multipart Parser Remote Code Execution (S2-045)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2017-5638
CWE CWE-755 — Improper Handling of Exceptional Conditions
CVSS v2 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS v3.1 9.8 (CRITICAL) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS 0.99999 (99.994th percentile)
KEV Yes — CISA KEV, EU exploited since 2021-11-03
Published 2017-03-11
Vendor Apache Software Foundation
Advisories S2-045, S2-046

Summary

The Jakarta Multipart parser in Apache Struts 2 fails to safely process exception conditions and error-message generation during file-upload attempts. A remote, unauthenticated attacker can inject OGNL (Object-Graph Navigation Language) expressions through crafted Content-Type, Content-Disposition, or Content-Length HTTP headers, resulting in arbitrary command execution on the target server. This vulnerability was actively exploited in the wild beginning March 2017.

Background

Apache Struts 2 is a widely adopted open-source MVC framework for building Java web applications. The framework includes a file-upload capability powered by the Jakarta Multipart parser, which processes incoming multipart/form-data requests. When the parser encounters an unexpected header format, it attempts to construct an error message. The flaw resides in how the parser builds that error message — it passes unsanitized attacker-controlled input into OGNL expression evaluation, turning an exception-handling path into a code-execution vector.

Root Cause (CWE-755)

This vulnerability is classified under CWE-755: Improper Handling of Exceptional Conditions. The Jakarta Multipart parser does not adequately sanitize user-supplied header values before incorporating them into exception messages. When the parser throws an exception — for example, upon receiving a malformed Content-Type header — the resulting error message is evaluated as an OGNL expression. Because OGNL can invoke Java methods and access runtime objects, an attacker can chain method calls to execute arbitrary system commands. The root cause is a breakdown in the trust boundary between external input and internal expression-evaluation engines.

Impact

The CVSS v2 base score of 10.0 and CVSS v3.1 score of 9.8 (CRITICAL) reflect the severity:

  • Network exploitable with no authentication required.
  • Low attack complexity — a single crafted HTTP header is sufficient.
  • Complete confidentiality, integrity, and availability impact — successful exploitation grants full control over the application server.

With an EPSS of 0.99999, this vulnerability is among the most reliably exploited in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog and EU exploited-vulnerability list underscores its real-world threat.

Exploitation Walkthrough (Defensive Perspective)

Ethics Notice: The following description is intended for defenders to understand attack patterns and build detection logic. Weaponized exploit code is deliberately omitted.

  1. Reconnaissance: The attacker identifies a web application running Apache Struts 2 by analyzing HTTP response headers, error pages, or known URL patterns.
  2. Header Injection: The attacker sends an HTTP request with a crafted Content-Type header containing an OGNL payload. A typical pattern includes a #cmd= sequence that invokes Java Runtime.getRuntime().exec() or equivalent reflective method chains.
  3. OGNL Evaluation: The Jakarta Multipart parser throws an exception while parsing the malformed header. The framework then attempts to build an error message using the raw header value, which is passed into OGNL evaluation.
  4. Command Execution: The OGNL engine resolves the payload, executing the embedded command in the context of the application server process.
  5. Post-Exploitation: Common follow-on actions include deploying web shells, exfiltrating data, or pivoting laterally within the network.

Affected and Patched Versions

Affected:

  • Apache Struts 2.3.x versions before 2.3.32
  • Apache Struts 2.5.x versions before 2.5.10.1

Patched:

  • Apache Struts 2.3.32
  • Apache Struts 2.5.10.1

Additional products and firmware versions listed in NVD CPE records (e.g., IBM Storwize, Lenovo Storage, HPE Server Automation, Oracle WebLogic Server, Aruba ClearPass Policy Manager, NetApp OnCommand Balance) may bundle or interoperate with vulnerable Struts components. Refer to vendor-specific advisories for confirmation.

Remediation

  1. Upgrade Immediately: Apply Apache Struts 2.3.32 or 2.5.10.1 (or later) from the official Struts download page. This is the only definitive fix.
  2. Compensating Controls (if patching is delayed):
    • Deploy a Web Application Firewall (WAF) rule to block requests containing OGNL-like patterns in Content-Type headers.
    • Implement strict input validation on all inbound headers at the reverse-proxy or load-balancer layer.
    • Restrict outbound network connectivity from application servers to limit post-exploitation lateral movement.
    • Ensure application processes run with least-privilege accounts (not root or SYSTEM).

Detection

  • Network: Monitor for HTTP requests with anomalous Content-Type values, particularly those containing #, $, {, }, or OGNL method chains (java.lang.Runtime, getRuntime, exec).
  • Endpoint: Look for unexpected child processes spawned by the Java application server (e.g., /bin/sh, cmd.exe, powershell.exe).
  • Application Logs: Struts may log exceptions related to multipart parsing. Correlate error spikes with suspicious source IPs.
  • IDS/IPS Signatures: Many commercial and open-source rule sets include signatures for S2-045/S2-046 exploitation.

Assessment

CVE-2017-5638 remains a textbook example of how improper exception handling can escalate into critical remote code execution. With near-certain exploitation probability (EPSS 0.99999) and confirmed active exploitation by multiple threat actors, any unpatched Struts 2 instance is a high-priority remediation target.

Key lessons:

  1. Sanitize all inputs — even error paths. Data that flows into exception messages, log entries, or diagnostic responses must be treated as untrusted.
  2. Expression engines need strict boundaries. Frameworks that embed expression languages (OGNL, SpEL, JEXL) should use whitelisting or sandboxing to prevent arbitrary code execution.

References

Frequently asked questions

What is CVE-2017-5638?
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
How severe is CVE-2017-5638?
CVE-2017-5638 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-5638 being actively exploited?
Yes. CVE-2017-5638 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-5638?
CVE-2017-5638 primarily affects Apache Struts. In total, 20 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-5638?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-5638 have an EU (EUVD) identifier?
Yes. CVE-2017-5638 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-0625. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2017-5638 published?
CVE-2017-5638 was published on 2017-03-11 and last updated on 2026-06-17.

References

Affected products (20)

More vulnerabilities in Apache Struts

All CVEs affecting Apache Struts →

Other CWE-755 (Improper Handling of Exceptional Conditions) vulnerabilities

Browse all CWE-755 (Improper Handling of Exceptional Conditions) vulnerabilities →