Update dependency org.apache.struts:struts2-core to v6 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.apache.struts:struts2-core (source)	2.5.33 → 6.8.0

---

Apache Struts file upload logic is flawed

CVE-2024-53677 / GHSA-43mq-6xmg-29vm

More information

Details

File upload logic is flawed vulnerability in Apache Struts. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.

This issue affects Apache Struts: from 2.0.0 before 6.4.0.

Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload. If you are not using an old file upload logic based on FileuploadInterceptor your application is safe.

You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067 .

Severity

• CVSS Score: 9.5 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-53677
• https://cwiki.apache.org/confluence/display/WW/S2-067
• https://struts.apache.org/core-developers/file-upload
• https://security.netapp.com/advisory/ntap-20250103-0005
• https://github.com/apache/struts/commit/1ecfbae46543a83e131404f8dcc84b3d0d554854
• https://github.com/apache/struts/commit/3ef9ade8902a63bb560892453eeca02bfddefc78
• https://github.com/apache/struts/commit/930fef7679d7247db9e460c146b1698a9d7ad1e4
• https://www.dynatrace.com/news/blog/the-anatomy-of-broken-apache-struts-2-a-technical-deep-dive-into-cve-2024-53677
• https://github.com/advisories/GHSA-43mq-6xmg-29vm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Apache Struts has a Denial of Service vulnerability

CVE-2025-66675 / GHSA-rg58-xhh7-mqjw

More information

Details

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-66675
• https://cve.org/CVERecord?id=CVE-2025-64775
• https://cwiki.apache.org/confluence/display/WW/S2-068
• https://github.com/apache/struts/commit/831568929cfba700f790f6ebe6e335f9f33fb468
• https://github.com/advisories/GHSA-rg58-xhh7-mqjw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonar-review-alpha]

Summary

⚠️ The PR description exceeded the analysis limit and was truncated. The review may not reflect all context.

This PR bumps the Apache Struts dependency from 2.5.33 to 6.8.0 in the test sources, a major version upgrade driven by two security vulnerabilities:

• CVE-2024-53677 (CVSS 9.5, Critical): File upload path traversal leading to potential RCE
• CVE-2025-66675 (CVSS 8.2, High): DoS via file leak in multipart request processing

The dependency is scoped as "provided" for test compilation only, so this is primarily a test fixture update.

What reviewers should know

What to check:

• The major version jump (2.5.33 → 6.8.0) may have breaking API changes — verify the test sources still compile and run correctly
• If this project uses the old FileuploadInterceptor from Struts, check whether migration to the new file upload mechanism is needed (author's description mentions this)
• Since this is in test sources only, no production code is affected, but test compatibility is critical

File location: java-symbolic-execution/java-symbolic-execution-checks-test-sources/pom.xml — the only change is the version number in a single <dependency> block. This is a straightforward bump with no other modifications.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[hashicorp-vault-sonar-prod]

Renovate Jira issue ID: JAVASE-218

[sonar-review-alpha]

LGTM! ✅

Clean, low-risk security upgrade. No test fixture .java files in the module import any Struts2 classes — the dependency exists solely for classpath type resolution during compilation. The major version jump (2.x → 6.x) introduces no breaking changes here because there are no usages to break. Version 6.8.0 is the correct target as it satisfies both CVEs (6.4.0 minimum for CVE-2024-53677, 6.8.0 minimum for CVE-2025-66675).

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0 Dependency risks
No data about Coverage
No data about Duplication

See analysis details on SonarQube