News & events
Urgent --- Official Apache Struts2 S2-033 Fix Incomplete

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications.

There exists a critical vulnerability in Apache Struts2. Remote attackers could execute arbitrary code on Struct 2 with Dynamic Method Invocation enabled by referencing malicious expressions via REST plugin. The vulnerability is referenced as CVE-2016-3087 and named S2-033.

Researchers from DBAPPSecurity disclosed the fix for Struts2 S2-033 released by Apache is not complete. Remote attackers can still execute arbitrary code on Struts2 with the fix applied.

Affected versions

Struts 2.3.20 - Struts 2.3.28 (excluding and

Unaffected versions

Struts, or


Disable Dynamic Method Invocation

In struts.xml, change <constant name=”struts.enable.DynamicMethodInvocation” value=”true” /> to <constant name=”struts.enable.DynamicMethodInvocation” value=”false”/>. If the above item does not exist, no modification is needed. Or update to Struts2 2.5.

For more information about how to detect the vulnerability on your website, please contact DBAPPSecurity at