Security Research
Showing results for 
Search instead for 
Do you mean 

Struts2 zero day in the wild

alvaro_munoz ‎04-25-2014 01:00 AM - edited ‎04-28-2014 01:55 AM

Remote code execution zero day in up-to-date Struts 2 applications:


Several months ago the Struts2 team announced security vulnerability S2-020 that allowed ClassLoader manipulation resulting in Remote Code Execution on certain application servers like Tomcat 8. The fix for this vulnerability was to disallow the use of the following regex in the action parameters:




However, a bypass that basically consists of changing the dot notation with the square bracket notation was made publicly available. Instead of using class.classloader  to access the ClassLoader, the bypass used class['classLoader']. We verified the bypass works as expected on our local PoC running the latest Struts version (, and we were able to pop up an evil calculator on the application server. Please note that it is also possible to bypass the original regex by using Class.classloader (with capital ‘C’).




We notified Struts2 team of the zero day being publicly disclosed and showed them the mitigation we were proposing before writing this blog post. Until the Struts2 team releases the fix, please update your excludeParams regular expression to include the following regex for the opening square bracket and capital 'C' cases:




The easiest way to accomplish this is to modify your struts config file:


    <package name="default" namespace="/" extends="struts-default">
            <interceptor-stack name="secureParamInterceptor">
                <interceptor-ref name="defaultStack">
                    <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>

        <default-interceptor-ref name="secureParamInterceptor" />


Update (25/04/14):


Struts2 has published an announcement with their own mitigation for the zero day while they come up with a patch. The regular expression in this post has been updated to show the one proposed by the Struts2 team since it is more restrictive.


Update 2 (28/04/14):


Struts2 has released version that addresses this zero day and it also protects the CookieInterceptor. Users are strongly recommended to update to


Stay secure!


0 Kudos
About the Author


on ‎04-27-2014 01:53 PM

Thanks for your alert.

Struts team indicates that this vulnerability can be exploited throw cookie's parameters.

Could you please confirm that the regex described patch all the vulnerability ?


Thank you

on ‎04-28-2014 01:59 AM

Hi John,


Thanks for your comment.


As specified in the S-021 advisory:


It isn't possible to do the same with CookieInterceptor, so don't use wildcard mapping to accept cookie names or implement your own version of CookieInterceptor based on code provided in Struts


So please update to Struts as soon as possible to fully protect the CookieInterceptor.

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all