Apache Struts 2 Vulnerability Leads to Remote Code Execution (CVE-2017-5638)

Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

Impact:  This vulnerability allows for unauthenticated, remote code execution on the server.


  1. Upgrade to Struts 2.3.32 or Struts
  2. Implement a Servlet filter to validate Content-Type and throw away request with suspicious values not matching multipart/form-data.

Reference URL’s: