Key Takeaways:
An AI tool discovered CVE-2025-68493, a CVSS 8.8 (High) vulnerability in several versions of Apache Struts, including: 2.0.0 – 2.3.37, 2.5.0 – 2.5.33, and 6.0.0 – 6.1.0. It was fixed in version 6.1.1.
This flaw impacts Apache Struts' XWork component, introducing unsafe XML parsing behavior that can be abused in certain configurations.
Two of the affected version ranges (2.0.0 – 2.3.37 and 2.5.0 – 2.5.33) are end-of-life, or EOL, meaning they are no longer maintained and will not release fixed versions. These component versions saw 380,684 downloads over the past seven days.
Apache Struts has a newly disclosed vulnerability, CVE-2025-68493, affecting Struts' XWork component and raising renewed concern about unsafe XML handling and XXE-style risk in certain deployments. According to NVD, affected versions span Struts 2.0.0 up to 6.1.0, with 6.1.1 identified as the fixed release.
What makes this disclosure especially urgent is what we're seeing in Maven Central download telemetry: in just the past 7 days, we observed 387,549 downloads of org.apache.struts:*, and ~98% of that activity was concentrated on end-of-life (EOL) Struts 2.x lines with only ~1.8% on Struts 6.0.0 – 6.1.0.
In this post, we'll break down what defenders need to know about the CVE, and use real ecosystem data to help you gauge exposure, prioritize upgrades, and reduce risk while remediation is underway.
Despite the severity of CVE-2025-68493, public discussion remains relatively muted compared to previous Apache Struts disclosures. There are early advisories and technical write-ups, but no widespread panic yet.
This quiet period is familiar.
Historically, Struts vulnerabilities often follow a predictable arc: initial disclosure, slow organizational response due to upgrade complexity, and eventual attacker weaponization once proof-of-concept techniques circulate more widely.
The real risk does not emerge at disclosure. It emerges in the lag between knowing and changing what is actually deployed.
Sonatype has repeatedly observed this pattern with previous Struts vulnerabilities, including CVE-2023-50164 and CVE-2024-53677. CVE-2025-68493 shows many of the same early indicators.
CVE-2025-68493 impacts Apache Struts 2.0.0 through 6.1.0, specifically within the XWork framework that underpins Struts' action invocation and result processing. XWork's XML handling can be abused under certain configurations, reopening the door to XXE-style behavior and related resource exhaustion scenarios.
While early write-ups emphasize XML safety, the more practical concern for many deployments is service availability. Improperly constrained XML parsing can be leveraged to trigger a denial of service attack, consuming CPU or memory until the application becomes unresponsive.
If you're asking how does a denial of service attack work in this context: an attacker doesn't need remote code execution. They simply need a path to submit crafted input that forces expensive XML expansion or parsing loops — an attack pattern that has repeatedly proven effective against Struts over time, especially in environments where patching lags behind disclosure.
The Apache project has addressed this issue in Struts 6.1.1, which introduces stricter parser hardening. All prior versions should be considered vulnerable, regardless of when the underlying code was first written or patched upstream.
At Sonatype, we don't just look at CVSS scores — we look at ecosystem behavior. Using Maven Central download telemetry from the past 7 days, we analyzed the usage of a set of vulnerable org.apache.struts:* artifacts to understand where the risk actually lives.
Struts 2.0.0 – 2.3.37 (EOL): 251,911 downloads (65.00%)
Struts 2.5.0 – 2.5.33 (EOL): 128,773 downloads (33.23%)
Struts 6.0.0 – 6.1.0: 6,865 downloads (1.77%)
That means nearly all observed activity is tied to EOL versions, a pattern we repeatedly observe with high-profile frameworks. The fix is available in version 6.1.1, which saw 6,243 downloads over the same time period — nearly a 1:1 ratio of vulnerable to safe downloads in the past week. The issue isn't just the vulnerability — it's the long tail of dependency inertia.
One detail that makes this vulnerability especially notable is how it was discovered.
According to the Apache Struts security bulletin (S2-069), CVE-2025-68493 was identified by Zast AI, an autonomous AI security research system. While human researchers remain critical, AI-assisted discovery is increasingly capable of identifying complex flaws faster and at greater scale.
AI changes speed, but it does not change consequences. If vulnerabilities are being discovered faster than ever, can organizations realistically keep up using traditional patch-and-upgrade workflows?
Struts is not an outlier here. It's a case study in a broader shift. As AI-driven discovery accelerates, the window between discovery and exploitation shrinks, while organizational remediation timelines often stay the same.
As vulnerability discovery accelerates, defenders need more than CVE alerts. They need guidance at the moment when dependency decisions are made, before vulnerable components ever ship.
CVE-2025-68493 highlights a persistent problem: even when a fix exists, vulnerable versions remain deeply embedded across the ecosystem. As AI accelerates both vulnerability discovery and software creation, the gap between knowing and changing what's deployed continues to widen.
Sonatype Guide helps teams scan their existing Apache Struts dependencies and gives developers and AI coding assistants the context they need to make safer choices upfront. Rather than relying on popularity or auto-complete, Guide surfaces vulnerability, maintenance, and risk signals and recommends better alternatives before risky components are introduced or reused.
When AI speeds up discovery and generation, prevention at the first mile becomes non-negotiable.
CVE-2025-68493 may not yet dominate headlines, but history suggests Struts vulnerabilities rarely stay quiet for long. With time-to-exploit shrinking and patch lag persisting, organizations that succeed will be those that scan what they're running today and guide what gets chosen tomorrow, rather than rely on reactive patching alone.