Apache Struts

Apache Struts 2
Apache Struts 2
Developer(s)	Apache Software Foundation
Initial release	October 10, 2006; 18 years ago
Stable release	7.0.3 / March 7, 2025; 4 months ago
Repository	github.com/apache/struts ;
Written in	Java
Operating system	Cross-platform
Platform	Cross-platform (JVM)
Predecessor	Apache Struts 1
Type	Web framework
License	Apache License 2.0
Website	Official website

Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework spun off from Apache Struts 1 aiming to offer enhancements and refinements while retaining the same general architecture of the original Struts framework. In December 2005, it was announced that WebWork 2.2 was adopted as Apache Struts 2, which reached its first full release in February 2007.^[2]

Current status

Apache Struts 2 is actively maintained with regular releases. As of 2025, the project maintains two major versions:^[3]

Struts 6.x series: Requires Java 8, Servlet API 3.1, and JSP API 2.1
Struts 7.x series: Requires Java 17 and Jakarta EE

The framework receives approximately 300,000 downloads per month, indicating continued widespread adoption.^[4] The Struts 2.5.x branch reached end-of-life in 2023.^[5]

Security issues

Struts 2 has a history of critical security bugs,^[6] many tied to its use of OGNL technology.^[7] Some vulnerabilities can lead to arbitrary code execution.

Equifax data breach

In October 2017, it was reported that failure by Equifax to address a Struts 2 vulnerability (CVE-2017-5638) advised in March 2017 was later exploited in the data breach that was disclosed by Equifax in September 2017.^[8]^[9]

Recent vulnerabilities

In November 2024, Apache disclosed CVE-2024-53677, a critical vulnerability with a CVSS severity rating of 9.5 out of 10, affecting applications using the deprecated FileUploadInterceptor. This vulnerability allows for path traversal, malicious file uploads, and remote code execution.^[10]

Features

Apache Struts 2 provides the following features:

Core features

Simple POJO-based actions^[11]
Simplified testability
Thread-safe architecture
Template support^[12]
Support for different result types^[13]
Easy extensibility through plugins

Ajax and UI support

AJAX support
- jQuery plugin for Ajax support and UI widgets
- Ajax client-side validation
- Dojo Toolkit plugin^[14] (deprecated)

Integration plugins

REST plugin^[15] for REST-based actions and extension-less URLs
Convention plugin for configuration via conventions and annotations
Spring plugin^[16] for dependency injection
Hibernate plugin for ORM support
JFreechart plugin for chart generation
Rome plugin for RSS/Atom feed support

Version history

Major releases

Struts 2.0 (2007): Initial release after merger with WebWork
Struts 2.5 (2016–2023): Long-term support version, reached end-of-life in 2023
Struts 6.0 (2022): Introduced modularization and improved security features
Struts 7.0 (2024): Migrated to Jakarta EE, requires Java 17

Notes

^ "Struts 7.0.3". GitHub. Retrieved 16 March 2025.
^ "About Apache Struts 2". Archived from the original on January 14, 2014. Retrieved 2014-01-14.
^ "Announcements 2025". Apache Struts. Retrieved 2025-05-29.
^ Jones, Connor (December 12, 2024). "Apache issues patches for critical Struts 2 RCE bug". The Register. Retrieved 2025-05-29.
^ "Announcements 2023 - Apache Struts". Apache Struts. Retrieved 2025-05-29.
^ "Apache Struts : List of security vulnerabilities". CVE Details. Retrieved October 2, 2017.
^ Munoz, Alvaro (January 14, 2014). "Struts 2: OGNL Expression Injections". HPE.com. Archived from the original on October 3, 2017. Retrieved October 2, 2017.
^ Chirgwin, Richard (October 2, 2017). "Equifax couldn't find or patch vulnerable Struts implementations". The Register. Retrieved October 2, 2017.
^ Goodin, Dan (October 2, 2017). "A series of delays and major errors led to massive Equifax breach". Ars Technica. Retrieved October 2, 2017.
^ "CVE-2024-53677 - Vulnerability impacting Apache Struts 2". Canadian Centre for Cyber Security. November 26, 2024. Retrieved 2025-05-29.
^ Newton 2009, p. 9, §1 Struts and Agile Development - Actions.
^ Newton 2009, p. 294, §12 Comprehensive Testing - Detour: Struts and Spring in a nutshell.
^ Newton 2009, pp. 57–81, §4 Results and Result Types - Dojo tags.
^ Newton 2009, p. 258, §13 Rich Internet Applications - Dojo tags.
^ Newton 2009, pp. 249–255, §12 Themes and Templates - The REST plug-in.
^ Newton 2009, p. 294, §13 Comprehensive Testing - Detour: Struts and Spring in a nutshell.

References

Newton, Dave (2009). Apache Struts 2 Web Application Development. Packt Publishing. ISBN 978-1-84719-339-1.

External links

[1] "Struts 7.0.3". GitHub. Retrieved 16 March 2025.

[2] "About Apache Struts 2". Archived from the original on January 14, 2014. Retrieved 2014-01-14.

[3] "Announcements 2025". Apache Struts. Retrieved 2025-05-29.

[4] Jones, Connor (December 12, 2024). "Apache issues patches for critical Struts 2 RCE bug". The Register. Retrieved 2025-05-29.

[5] "Announcements 2023 - Apache Struts". Apache Struts. Retrieved 2025-05-29.

[6] "Apache Struts : List of security vulnerabilities". CVE Details. Retrieved October 2, 2017.

[7] Munoz, Alvaro (January 14, 2014). "Struts 2: OGNL Expression Injections". HPE.com. Archived from the original on October 3, 2017. Retrieved October 2, 2017.

[8] Chirgwin, Richard (October 2, 2017). "Equifax couldn't find or patch vulnerable Struts implementations". The Register. Retrieved October 2, 2017.

[9] Goodin, Dan (October 2, 2017). "A series of delays and major errors led to massive Equifax breach". Ars Technica. Retrieved October 2, 2017.

[10] "CVE-2024-53677 - Vulnerability impacting Apache Struts 2". Canadian Centre for Cyber Security. November 26, 2024. Retrieved 2025-05-29.

[FOOTNOTENewton20099§1_Struts_and_Agile_Development_-_Actions-11] Newton 2009, p. 9, §1 Struts and Agile Development - Actions.

[FOOTNOTENewton2009294§12_Comprehensive_Testing_-_Detour:_Struts_and_Spring_in_a_nutshell-12] Newton 2009, p. 294, §12 Comprehensive Testing - Detour: Struts and Spring in a nutshell.

[FOOTNOTENewton200957–81§4_Results_and_Result_Types_-_Dojo_tags-13] Newton 2009, pp. 57–81, §4 Results and Result Types - Dojo tags.

[FOOTNOTENewton2009258§13_Rich_Internet_Applications_-_Dojo_tags-14] Newton 2009, p. 258, §13 Rich Internet Applications - Dojo tags.

[FOOTNOTENewton2009249–255§12_Themes_and_Templates_-_The_REST_plug-in-15] Newton 2009, pp. 249–255, §12 Themes and Templates - The REST plug-in.

[FOOTNOTENewton2009294§13_Comprehensive_Testing_-_Detour:_Struts_and_Spring_in_a_nutshell-16] Newton 2009, p. 294, §13 Comprehensive Testing - Detour: Struts and Spring in a nutshell.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

v t e Web frameworks
Comparison
.NET	ASP.NET Core AJAX Dynamic Data MVC Razor Web Forms Blazor DNN BFC MonoRail Umbraco WebSharper
C++	CppCMS Drogon Wt
ColdFusion	ColdBox Platform
Common Lisp	CL-HTTP
Haskell	Servant Snap Yesod
Java	AppFuse Grails GWT ICEfaces JHipster JWt Mojarra Play Remote Application Platform Seam Sling Spring Stripes Struts Tapestry Vaadin Vert.x Wicket WaveMaker ZK
JavaScript	Angular/AngularJS Backbone.js Closure Dojo Toolkit Ember.js Express.js Ext JS Fastify htmx jQuery Knockout.js Meteor MooTools NestJS Next.js Nuxt.js Node.js OpenUI5 Prototype React Remix Sencha Touch SproutCore Svelte Vue.js
Perl	Catalyst Dancer Maypole Mojolicious WebGUI
PHP	CakePHP CodeIgniter Drupal eZ Publish Fat-Free Flow FuelPHP Grav Gyroscope Horde Joomla! Laminas Laravel li₃ Midgard MODX Phalcon PHP-Fusion PHP-Nuke Pop PHP PRADO ProcessWire Qcodo Silverstripe Symfony TYPO3 WordPress XOOPS Yii
Python	BlueBream CherryPy CubicWeb Django FastAPI Flask Grok Nevow Pyjs Pylons Pyramid Quixote Tornado TurboGears web2py Zope 2 more...
Ruby	Merb Padrino Ruby on Rails Sinatra
Rust	Rocket
Scala	Lift Play Scalatra
Smalltalk	AIDA/Web Seaside
Other languages	Application Express (PL/SQL) Grails (Groovy) OpenACS (Tcl) Phoenix (Elixir) Shiny (web framework) (R) SproutCore (JavaScript-Ruby) Yaws (Erlang)

v t e The Apache Software Foundation
Top-level projects	Accumulo ActiveMQ Airavata Airflow Allura Ambari Ant Aries Arrow Apache HTTP Server APR Avro Axis Axis2 Beam Bloodhound Brooklyn Calcite Camel CarbonData Cassandra Cayenne CloudStack Cocoon Cordova CouchDB cTAKES CXF Derby Directory Drill Druid Empire-db Felix Flex Flink Flume FreeMarker Geronimo Groovy Guacamole Gump Hadoop HBase Helix Hive Iceberg Ignite Impala Jackrabbit James Jena JMeter Kafka Kudu Kylin Lucene Mahout Maven MINA mod_perl MyFaces Mynewt NiFi NetBeans Nutch NuttX OFBiz Oozie OpenEJB OpenJPA OpenNLP OрenOffice ORC PDFBox Parquet Phoenix POI Pig Pinot Pivot Qpid Roller RocketMQ Samza Shiro SINGA Sling Solr Spark Storm SpamAssassin Struts 1 Subversion Superset SystemDS Tapestry Thrift Tika TinkerPop Tomcat Trafodion Traffic Server UIMA Velocity Wicket Xalan Xerces XMLBeans Yetus ZooKeeper
Commons	BCEL BSF Daemon Jelly Logging
Incubator	Taverna
Other projects	Batik FOP Ivy Log4j
Attic	Apex AxKit Beehive iBATIS Click Continuum Deltacloud Etch Giraph Hama Harmony Jakarta Marmotta MXNet ODE River Shale Slide Sqoop Stanbol Tuscany Wave XML
Licenses	Apache License
Category