CVE-2025-54656

** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated). As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/so5cn07j2zn9vlf1xnfqp630wts719rr	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/30/1

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:struts_extras:*:*:*:*:*:*:*:*

History

04 Nov 2025, 22:16

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2025/07/30/1 -

Information

Published : 2025-07-30 16:15

Updated : 2025-11-04 22:16

NVD link : CVE-2025-54656

Mitre link : CVE-2025-54656

CVE.ORG link : CVE-2025-54656

JSON object : View

Products Affected

apache

struts_extras

CWE

CWE-117

Improper Output Neutralization for Logs

{"id": "CVE-2025-54656", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "[email protected]"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-07-30T16:15:28.693", "references": [{"url": "https://lists.apache.org/thread/so5cn07j2zn9vlf1xnfqp630wts719rr", "tags": ["Mailing List", "Vendor Advisory"], "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/07/30/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-117"}]}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts.\n\nThis issue affects Apache Struts Extras: before 2.\n\nWhen using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).\u00a0\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** Vulnerabilidad de neutralizaci\u00f3n de salida incorrecta para registros en Apache Struts. Este problema afecta a Apache Struts Extras: versiones anteriores a la 2. Al usar LookupDispatchAction, en algunos casos, Struts puede imprimir entradas no confiables en los registros sin ning\u00fan filtro. Una entrada especialmente manipulada puede generar una salida de registro donde parte del mensaje se hace pasar por una l\u00ednea de registro independiente, lo que confunde a los usuarios (ya sean humanos o automatizados). Dado que este proyecto est\u00e1 retirado, no planeamos publicar una versi\u00f3n que solucione este problema. Se recomienda a los usuarios buscar una alternativa o restringir el acceso a la instancia a usuarios de confianza. NOTA: Esta vulnerabilidad solo afecta a los productos que ya no reciben soporte del fabricante."}], "lastModified": "2025-11-04T22:16:29.117", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:struts_extras:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B28F17ED-2F73-48A0-BAE8-91B3C9AE1B24", "versionEndExcluding": "2.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}