CVE-2017-12611 in Struts
Summary
by MITRE
In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/24/2025
Apache Struts represents a widely adopted Java web application framework that facilitates the development of enterprise-level web applications through its Model-View-Controller architecture. The vulnerability identified as CVE-2017-12611 specifically targets the framework's handling of Freemarker template processing within its tag library implementation. This flaw exists in versions ranging from 2.0.1 through 2.3.33 and additionally affects versions 2.5 through 2.5.10, creating a substantial attack surface across multiple release lines. The vulnerability stems from the framework's improper sanitization of user input when processing Freemarker expressions within tag attributes, allowing malicious actors to inject and execute arbitrary code on affected systems. The technical implementation involves the framework's use of the OGNL (Object-Graph Navigation Language) expression language within Freemarker templates, where user-controlled data is processed without adequate validation or escaping mechanisms. When an application using affected Struts versions processes user input through Freemarker tags that contain expression syntax instead of literal strings, the framework evaluates these expressions as code rather than treating them as simple text. This behavior creates a critical remote code execution vector that can be exploited by attackers who control input parameters processed by the vulnerable framework components. The vulnerability aligns with CWE-94, which describes "Improper Control of Generation of Code" and specifically relates to situations where applications fail to properly control the generation or execution of code based on user input. From an operational perspective, this vulnerability enables attackers to execute arbitrary commands on the application server with the privileges of the web application process, potentially leading to complete system compromise. The attack requires minimal prerequisites beyond the ability to submit data to an application using the vulnerable Struts framework, making it particularly dangerous in environments where applications process untrusted user input through Freemarker templates. Organizations running affected versions face significant risk as this vulnerability can be exploited for data exfiltration, system reconnaissance, and establishment of persistent backdoors. The ATT&CK framework categorizes this vulnerability under T1059.001, "Command and Scripting Interpreter: PowerShell", as the executed commands can leverage various system utilities and scripting capabilities. The exploitation process typically involves crafting malicious input that contains OGNL expressions which, when processed by the vulnerable framework, translate into executable code on the target system. This vulnerability demonstrates the critical importance of proper input validation and the dangerous consequences of insufficient sanitization of user-supplied data in web application frameworks. The remediation strategy involves upgrading to Apache Struts versions 2.3.34 or 2.5.11, which contain patches that properly validate and escape Freemarker expressions. Additionally, organizations should implement input validation measures and consider deploying web application firewalls to detect and block exploitation attempts. Security teams must also conduct thorough vulnerability assessments to identify all applications using affected Struts versions and ensure comprehensive patch management across their infrastructure.