Vulnerability Description
** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated). As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Struts Extras | < 2.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/so5cn07j2zn9vlf1xnfqp630wts719rrMailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/07/30/1
FAQ
What is CVE-2025-54656?
CVE-2025-54656 is a vulnerability with a CVSS score of 6.5 (MEDIUM). ** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some ca...
How severe is CVE-2025-54656?
CVE-2025-54656 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-54656?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts Extras.