Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

Apache Software Foundation: Apache Struts 2 File-Upload Path Traversal Leading to RCE (analysis blog)

CVE-2023-50164 Critical Published
CVSS
9.8 Critical · Network · No PR
EPSS
0.92864 92.9% chance of exploit in 30d
CWE
CWE-552 Files or Directories Accessible to External Parties
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Per NVD: “An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.” Per Praetorian’s blog: “the Struts ActionSupport class contains a bug in the filename parameter filtering in the file upload implementation. … an attacker can first capitalize a parameter in the request and then submit an additional parameter (in lowercase) that overrides an internal file name variable. … the poisoned filename value can contain path traversal characters.”

Affected Packages / Versions

  • Package: org.apache.struts:struts2-core (Maven)
  • Latest published version at triage time: Multiple Struts 2.5.x and 6.x branches
  • Affected range: Per NVD's vendor-supplied note: "Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue."
  • Patched version: Apache Struts 2.5.33 / 6.3.0.2

Impact

Per Praetorian’s blog (the explicit framing): “Despite these apparent similarities … unlike CVE-2017-5638 … the exploitation of CVE-2023-50164 involves several preconditions that are dependent on the behavior and implementation of the application using Apache Struts. While CVE-2023-50164 is a serious issue and developers should promptly update applications using vulnerable versions of Apache Struts, it will be very difficult for an attacker to scan for and exploit this vulnerability at scale in the same manner as CVE-2017-5638.”

Severity Rationale

NVD CVSS 9.8 (Critical) on the raw primitive. Praetorian’s blog explicitly tempers practical exploitability versus the CVSS score.

Fix

Per NVD: “Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.”

Disclosure timeline

  • TBDReported to vendor
  • Dec 7, 2023Patch released (Apache S2-066 advisory; date matches NVD published)
  • Dec 7, 2023Public disclosure

Fix Commit(s)

  • See apache/struts S2-066 fix commit

References

Discovered by Original disclosure: Steven Seeley (per Praetorian's blog). Praetorian: published an analysis-and-mitigating-factors blog after public disclosure. · Published April 29, 2026