CVE-2025-54656— Apache Struts Extras: Improper Output Neutralization for Logs
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-54656
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache Struts Extras: Improper Output Neutralization for Logs
Source: NVD (National Vulnerability Database)
Vulnerability Description
** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated). As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
日志输出的转义处理不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Struts Extras 2 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Struts Extras 2是美国阿帕奇(Apache)基金会的一个Apache Struts 2框架的扩展。 Apache Struts Extras 2存在安全漏洞,该漏洞源于使用LookupDispatchAction时可能将不受信任的输入打印到日志中。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache Struts Extras | 0 ~ 2 | - |
II. Public POCs for CVE-2025-54656
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-54656
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
Same weakness: CWE-117
- CVE-2026-6494
Aap-mcp-server: aap mcp server: log injection allows social - CVE-2025-14684
IBM Maximo Application Suite - Monitor Component uses Log Fo - CVE-2025-59784
Log Pollution - Control Characters Not Escaped - CVE-2025-12755
Multiple vulnerabilities in IBM MQ Operator and Queue manage - CVE-2025-11537
Keycloak-server: sensitive headers shown in the http access
V. Comments for CVE-2025-54656
No comments yet