CVE-2017-9805βApache Struts Deserialization of Untrusted Data Vulnerability
PUBLISHEDvulnerability record
2021-11-03 Β· last modified June 21, 2025
Metadata
Vulnerability Name
Apache Struts Deserialization of Untrusted Data Vulnerability
Description
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.
Known To Be Used in Ransomware Campaigns?
Action
Apply updates per vendor instructions.