CVE-2025-54656 – Apache Struts LookupDispatchAction Log Injection

CVE ID : CVE-2025-54656

Published : July 30, 2025, 4:15 p.m. | 1 hour, 14 minutes ago

Description : ** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts.

This issue affects Apache Struts Extras: before 2.

When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated). 

As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…