CVE-2024-53677

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.

This issue affects Apache Struts: from 2.0.0 before 6.4.0.

Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe.

You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067

Published: Dec 11, 2024
Updated: Jul 17, 2025
CVE: CVE-2024-53677
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
apache / struts	2.0.0	6.4.0

https://cwiki.apache.org/confluence/display/WW/S2-067
https://security.netapp.com/advisory/ntap-20250103-0005/

Vulnerability Database

CVE-2024-53677