Two Struts CVEs, one incomplete fix, and the enterprise Java visibility problem

The December 2023 fix for Apache Struts CVE-2023-50164 was a valid patch for the bypass it targeted. Twelve months later, Apache published CVE-2024-53677 with a 9.5 CVSS score, affecting versions that had already received the first fix. Same component. Same file upload mechanism. Same class of path traversal. The patch was incomplete.

Incomplete patches are not unusual. What makes the S2-066 and S2-067 pair worth examining is what closing the second CVE actually required: not another version bump, but a non-backward-compatible architectural migration and the explicit deprecation of the file upload component that produced both vulnerabilities.

How the mechanism works

Both CVEs root in Struts 2’s FileUploadInterceptor. When a multipart form submits a file, the interceptor processes upload parameters using OGNL setter methods. The flaw in S2-066 (CVE-2023-50164) works through HTTP parameter case sensitivity. Rapid7’s analysis describes it: send an UploadFileName parameter with a sanitized filename, then a second uploadFileName parameter with path traversal characters in it. The setter runs twice. The first pass produces the clean name; the second overwrites it with the traversal payload. That second value, with ..\..\ sequences intact, determines where the file lands on disk.

A JSP web shell placed outside the intended upload directory gives the attacker code execution when they request it. The prerequisites are specific: FileUploadInterceptor must be enabled, and the application’s upload handling must copy files based on the filename the setter returned. Not every Struts deployment is exploitable. But in the organizations where it lands, it lands as unauthenticated RCE.

The fix for S2-066 addressed the specific case variation. The fix for S2-067 (CVE-2024-53677) concluded that the design of FileUploadInterceptor could not be patched incrementally. The remediation for S2-067 is a full migration to the ActionFileUpload interceptor in Struts 6.4.0, with application-level code changes required. The S2-067 advisory is explicit: the new interceptor is not a drop-in replacement. Application code that handled uploads with the old interceptor must be rewritten.

The exploitation timeline

CVE-2023-50164 was published December 7, 2023; CISA issued an alert December 12 urging immediate patching. Proof-of-concept exploits appeared December 11. Akamai observed active exploitation attempts by December 12, five days after disclosure.

Akamai documented two distinct exploitation variants. The first mirrored the published PoC, targeting /login.action with the parameter name uploadFileName. The second, deployed by a coordinated group targeting multiple customers, used /s2/upload.action and fileFileName. The second variant was not the PoC script run verbatim. Someone had read the advisory, understood the mechanism, and adjusted the exploit for a different endpoint configuration. The week between disclosure and broad targeting contained exactly one quiet day.

CVE-2024-53677 followed in December 2024, with exploitation attempts surfacing shortly after the PoC appeared, repeating the same disclosure-to-exploitation interval. The affected population now included organizations that had patched CVE-2023-50164 and believed the issue closed.

What Struts’s patch history says

A framework that produces two critical file upload RCEs in 13 months on the same component is not running through a bad patch of luck. Struts’s most documented breach is the 2017 Equifax incident: CVE-2017-5638, a CVSS 10.0 unauthenticated RCE via a malformed Content-Type header, patched March 6, 2017. Attackers began exploiting Equifax on March 10. The breach ran through July 30 and exposed personal data for approximately 143 million US consumers.

The Apache Software Foundation noted at the time that the breach resulted from Equifax’s failure to apply an available patch. That is accurate. It is also beside the point for anyone trying to understand why Struts keeps producing this class of vulnerability. The pattern is file upload and request-parsing flaws across a succession of Struts 2 advisories, each exploited quickly, each leaving some portion of the installed base unpatched long after a fix shipped.

The inventory problem

Apache Struts 2 ships as a JAR bundled into WAR or EAR files at build time. An application that exposed a Struts file upload endpoint in December 2023 may have been maintained by a team that did not know Struts was in the dependency tree, or that knew it was there but had not mapped which endpoints were externally reachable.

This is what the Equifax breach actually demonstrated operationally: the team that received the March 9, 2017 directive to patch all Struts applications did not patch the system that was breached, because it was not on anyone’s list. Nearly five months of unauthorized access followed a missed inventory item.

Vulnerability scanners that identify Struts by JAR filename or manifest attributes will surface most cases. They miss Struts bundled inside fat JARs, shaded into distributions, or deployed inside commercial middleware where the vendor controls the update cycle. Organizations running large Java application portfolios frequently discover Struts in places they did not put it. The discovery happens when a CVE forces the question. The question has been forced several times now, and the interval between the CVE and active exploitation has not widened.

What the deprecation signals

Apache’s decision to deprecate FileUploadInterceptor rather than continue patching it says something plainly: the project considers this component an architectural liability and will not maintain it forward. Struts 6.4.0 is the only safe upgrade path for CVE-2024-53677, and it requires code changes, not just a version bump.

For a team that discovered a dormant Struts 2 application through a scanner alert, “rewrite the upload handling” is not a one-afternoon task. For a team maintaining a commercial product that bundles Struts, the migration timeline is not theirs to set. The deprecation is the honest signal that the file upload component is done.

The prioritization call

If Struts 2 is in your environment, the actionable target is 6.4.0 or later with ActionFileUpload. Patching to 6.3.0.2 (the CVE-2023-50164 fix) left CVE-2024-53677 open because the deprecated component remained in place.

The harder problem is knowing what is running Struts 2 in the first place. Software composition analysis with JAR-level scanning, not just dependency manifest parsing, is what separates seeing this class of issue before the CVE drops from scrambling to locate exposure after it does.

PatchDayAlert tracks Struts CVE additions to the KEV catalog and surfaces them the day they land. The interval between a Struts CVE and a working PoC has been under a week, consistently. The inventory audit does not run fast enough to start from scratch when the CVE drops.