Apache Struts 2.5.33 Jar Contains 10 Critical Vulnerabilities, Including 9.8 CVSS Score

A critical security scan has flagged the widely used Apache Struts 2 framework version 2.5.33 as containing ten distinct vulnerabilities, with the highest severity scoring a maximum 9.8 on the CVSS scale. The vulnerabilities are confirmed as 'reachable' within the codebase, meaning the flawed functions can be triggered by an attacker, significantly increasing the risk of exploitation. This finding originates from a GitHub repository dedicated to vulnerability testing, highlighting a persistent and severe security flaw in a core component powering countless enterprise Java web applications.

The vulnerable library, `struts2-core-2.5.33.jar`, was identified in a specific project's dependency file. The scan details the exact path to the library within the system and links it to a specific commit in a public repository, providing a clear trail of the vulnerable component's integration. The presence of multiple high-severity issues in a single, foundational release points to a substantial cumulative risk for any system still relying on this version.

This discovery places immediate pressure on development and security teams across industries to audit their dependencies. Organizations using Struts 2.5.33 or similar outdated versions face heightened scrutiny, as unpatched Struts vulnerabilities have historically been prime targets for large-scale cyber attacks. The 'reachable' status of these flaws means the window for remediation is narrow, demanding urgent version upgrades or the application of available security patches to mitigate potential remote code execution and data breach scenarios.