CVE-2017-5638
CVE-2017-5638 is a critical-severity vulnerability in Apache Struts with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-755.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2018-0625
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-755
- Affected product: Apache Struts
- Published:
- Last modified:
Description
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
CVE-2017-5638: Apache Struts 2 Jakarta Multipart Parser Remote Code Execution (S2-045)
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2017-5638 |
| CWE | CWE-755 — Improper Handling of Exceptional Conditions |
| CVSS v2 | 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
| CVSS v3.1 | 9.8 (CRITICAL) — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.99999 (99.994th percentile) |
| KEV | Yes — CISA KEV, EU exploited since 2021-11-03 |
| Published | 2017-03-11 |
| Vendor | Apache Software Foundation |
| Advisories | S2-045, S2-046 |
Summary
The Jakarta Multipart parser in Apache Struts 2 fails to safely process exception conditions and error-message generation during file-upload attempts. A remote, unauthenticated attacker can inject OGNL (Object-Graph Navigation Language) expressions through crafted Content-Type, Content-Disposition, or Content-Length HTTP headers, resulting in arbitrary command execution on the target server. This vulnerability was actively exploited in the wild beginning March 2017.
Background
Apache Struts 2 is a widely adopted open-source MVC framework for building Java web applications. The framework includes a file-upload capability powered by the Jakarta Multipart parser, which processes incoming multipart/form-data requests. When the parser encounters an unexpected header format, it attempts to construct an error message. The flaw resides in how the parser builds that error message — it passes unsanitized attacker-controlled input into OGNL expression evaluation, turning an exception-handling path into a code-execution vector.
Root Cause (CWE-755)
This vulnerability is classified under CWE-755: Improper Handling of Exceptional Conditions. The Jakarta Multipart parser does not adequately sanitize user-supplied header values before incorporating them into exception messages. When the parser throws an exception — for example, upon receiving a malformed Content-Type header — the resulting error message is evaluated as an OGNL expression. Because OGNL can invoke Java methods and access runtime objects, an attacker can chain method calls to execute arbitrary system commands. The root cause is a breakdown in the trust boundary between external input and internal expression-evaluation engines.
Impact
The CVSS v2 base score of 10.0 and CVSS v3.1 score of 9.8 (CRITICAL) reflect the severity:
- Network exploitable with no authentication required.
- Low attack complexity — a single crafted HTTP header is sufficient.
- Complete confidentiality, integrity, and availability impact — successful exploitation grants full control over the application server.
With an EPSS of 0.99999, this vulnerability is among the most reliably exploited in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog and EU exploited-vulnerability list underscores its real-world threat.
Exploitation Walkthrough (Defensive Perspective)
Ethics Notice: The following description is intended for defenders to understand attack patterns and build detection logic. Weaponized exploit code is deliberately omitted.
- Reconnaissance: The attacker identifies a web application running Apache Struts 2 by analyzing HTTP response headers, error pages, or known URL patterns.
- Header Injection: The attacker sends an HTTP request with a crafted
Content-Typeheader containing an OGNL payload. A typical pattern includes a#cmd=sequence that invokes JavaRuntime.getRuntime().exec()or equivalent reflective method chains. - OGNL Evaluation: The Jakarta Multipart parser throws an exception while parsing the malformed header. The framework then attempts to build an error message using the raw header value, which is passed into OGNL evaluation.
- Command Execution: The OGNL engine resolves the payload, executing the embedded command in the context of the application server process.
- Post-Exploitation: Common follow-on actions include deploying web shells, exfiltrating data, or pivoting laterally within the network.
Affected and Patched Versions
Affected:
- Apache Struts 2.3.x versions before 2.3.32
- Apache Struts 2.5.x versions before 2.5.10.1
Patched:
- Apache Struts 2.3.32
- Apache Struts 2.5.10.1
Additional products and firmware versions listed in NVD CPE records (e.g., IBM Storwize, Lenovo Storage, HPE Server Automation, Oracle WebLogic Server, Aruba ClearPass Policy Manager, NetApp OnCommand Balance) may bundle or interoperate with vulnerable Struts components. Refer to vendor-specific advisories for confirmation.
Remediation
- Upgrade Immediately: Apply Apache Struts 2.3.32 or 2.5.10.1 (or later) from the official Struts download page. This is the only definitive fix.
- Compensating Controls (if patching is delayed):
- Deploy a Web Application Firewall (WAF) rule to block requests containing OGNL-like patterns in
Content-Typeheaders. - Implement strict input validation on all inbound headers at the reverse-proxy or load-balancer layer.
- Restrict outbound network connectivity from application servers to limit post-exploitation lateral movement.
- Ensure application processes run with least-privilege accounts (not root or SYSTEM).
- Deploy a Web Application Firewall (WAF) rule to block requests containing OGNL-like patterns in
Detection
- Network: Monitor for HTTP requests with anomalous
Content-Typevalues, particularly those containing#,$,{,}, or OGNL method chains (java.lang.Runtime,getRuntime,exec). - Endpoint: Look for unexpected child processes spawned by the Java application server (e.g.,
/bin/sh,cmd.exe,powershell.exe). - Application Logs: Struts may log exceptions related to multipart parsing. Correlate error spikes with suspicious source IPs.
- IDS/IPS Signatures: Many commercial and open-source rule sets include signatures for S2-045/S2-046 exploitation.
Assessment
CVE-2017-5638 remains a textbook example of how improper exception handling can escalate into critical remote code execution. With near-certain exploitation probability (EPSS 0.99999) and confirmed active exploitation by multiple threat actors, any unpatched Struts 2 instance is a high-priority remediation target.
Key lessons:
- Sanitize all inputs — even error paths. Data that flows into exception messages, log entries, or diagnostic responses must be treated as untrusted.
- Expression engines need strict boundaries. Frameworks that embed expression languages (OGNL, SpEL, JEXL) should use whitelisting or sandboxing to prevent arbitrary code execution.
References
- https://struts.apache.org/docs/s2-045.html
- https://struts.apache.org/docs/s2-046.html
- https://cwiki.apache.org/confluence/display/WW/S2-045
- https://cwiki.apache.org/confluence/display/WW/S2-046
- https://github.com/apache/struts/commit/352306493971e7d5a756d61780d57a76eb1f519a
- https://github.com/apache/struts/commit/6b8272ce47160036ed120a48345d9aa884477228
- https://www.kb.cert.org/vuls/id/834067
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-5638
- https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/
- https://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
- https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
- https://security.netapp.com/advisory/ntap-20170310-0001/
- https://www.exploit-db.com/exploits/41614/
- https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
Frequently asked questions
- What is CVE-2017-5638?
- The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
- How severe is CVE-2017-5638?
- CVE-2017-5638 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-5638 being actively exploited?
- Yes. CVE-2017-5638 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-5638?
- CVE-2017-5638 primarily affects Apache Struts. In total, 20 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2017-5638?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-5638 have an EU (EUVD) identifier?
- Yes. CVE-2017-5638 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-0625. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2017-5638 published?
- CVE-2017-5638 was published on 2017-03-11 and last updated on 2026-06-17.
References
- http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
- http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
- http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt
- http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.securityfocus.com/bid/96729
- http://www.securitytracker.com/id/1037973
- https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/
- https://cwiki.apache.org/confluence/display/WW/S2-045
- https://cwiki.apache.org/confluence/display/WW/S2-046
- https://exploit-db.com/exploits/41570
- https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a
- https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228
- https://github.com/mazen160/struts-pwn
- https://github.com/rapid7/metasploit-framework/issues/8064
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us
- https://isc.sans.edu/diary/22169
- https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
- https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
- https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
- https://security.netapp.com/advisory/ntap-20170310-0001/
- https://struts.apache.org/docs/s2-045.html
- https://struts.apache.org/docs/s2-046.html
- https://support.lenovo.com/us/en/product_security/len-14200
- https://twitter.com/theog150/status/841146956135124993
- https://www.exploit-db.com/exploits/41614/
Affected products (20)
- cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:storwize_v3500_firmware:7.7.1.6:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:storwize_v3500_firmware:7.8.1.0:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:storwize_v5000_firmware:7.7.1.6:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:storwize_v5000_firmware:7.8.1.0:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:storwize_v7000_firmware:7.7.1.6:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:storwize_v7000_firmware:7.8.1.0:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:storage_v5030_firmware:7.7.1.6:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:storage_v5030_firmware:7.8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:server_automation:9.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:server_automation:10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:server_automation:10.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:server_automation:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:server_automation:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
More vulnerabilities in Apache Struts
- CVE-2013-4316 — Critical (CVSS 10.0): Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack…
- CVE-2012-0838 — Critical (CVSS 10.0): Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error,…
- CVE-2024-53677 — Critical (CVSS 9.8): File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal…
- CVE-2023-50164 — Critical (CVSS 9.8): An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to…
- CVE-2021-31805 — Critical (CVSS 9.8): The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s…
- CVE-2020-17530 — Critical (CVSS 9.8): Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected…
All CVEs affecting Apache Struts →
Other CWE-755 (Improper Handling of Exceptional Conditions) vulnerabilities
- CVE-2025-34193 — Critical (CVSS 9.8): Vasion Print (formerly PrinterLogic) Virtual Appliance Host versions prior to 25.1.102 and Application versions prior…
- CVE-2025-10156 — Critical (CVSS 9.8): An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314…
- CVE-2021-42142 — Critical (CVSS 9.8): An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers mishandle the early use of a…
- CVE-2021-42141 — Critical (CVSS 9.8): An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. One incorrect handshake could complete with…
- CVE-2023-38406 — Critical (CVSS 9.8): bgpd/bgp_flowspec.c in FRRouting (FRR) before 8.4.3 mishandles an nlri length of zero, aka a "flowspec overflow."
- CVE-2022-23121 — Critical (CVSS 9.8): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk.…
Browse all CWE-755 (Improper Handling of Exceptional Conditions) vulnerabilities →