Back to KEVs

CVE-2017-9805

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for...

Basic Information

CVE State
PUBLISHED
Reserved Date
June 21, 2017
Published Date
September 15, 2017
Last Updated
October 21, 2025
Vendor
Apache Software Foundation
Product
Apache Struts
Description
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
Tags
apache cisa nuclei_scanner metasploit

CVSS Scores

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2021-11-03 00:00:00 UTC) Source

References

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html https://struts.apache.org/docs/s2-052.html http://www.securitytracker.com/id/1039263 http://www.securityfocus.com/bid/100609 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 https://bugzilla.redhat.com/show_bug.cgi?id=1488482 https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax https://www.exploit-db.com/exploits/42627/ https://lgtm.com/blog/apache_struts_CVE-2017-9805 https://cwiki.apache.org/confluence/display/WW/S2-052 https://security.netapp.com/advisory/ntap-20170907-0001/ https://www.kb.cert.org/vuls/id/112992

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-11-03 00:00:00 UTC
CISA 2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_rest_xstream.rb 2025-04-28 15:02:23 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-9805.yaml 2025-04-25 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

struts2_rest_xstream

Type: metasploit • Created: Unknown

Metasploit module for CVE-2017-9805

Shakun8/CVE-2017-9805

Type: github • Created: 2022-10-03 00:15:31 UTC • Stars: 3

CVE-2017-9805 POC

0xd3vil/CVE-2017-9805-Exploit

Type: github • Created: 2021-04-04 04:35:19 UTC • Stars: 1

CVE-2017-9805-Exploit

z3bd/CVE-2017-9805

Type: github • Created: 2021-03-05 21:57:11 UTC • Stars: 0

struts2-rest-showcase 2.5.10

jongmartinez/-CVE-2017-9805-

Type: github • Created: 2020-11-28 00:00:37 UTC • Stars: 1

Exploit script for Apache Struts2 REST Plugin XStream RCE (‎CVE-2017-9805)

wifido/CVE-2017-9805-Exploit

Type: github • Created: 2020-06-11 07:36:56 UTC • Stars: 0

Struts 2.5 - 2.5.12 REST Plugin XStream RCE

AvishkaSenadheera/CVE-2017-9805---Documentation---IT19143378

Type: github • Created: 2020-05-12 17:53:57 UTC • Stars: 0

UbuntuStrike/CVE-2017-9805-Apache-Struts-Fuzz-N-Sploit

Type: github • Created: 2019-09-02 22:24:07 UTC • Stars: 0

A script to Fuzz and and exploit Apache struts CVE-2017-9805

UbuntuStrike/struts_rest_rce_fuzz-CVE-2017-9805-

Type: github • Created: 2019-08-31 22:06:31 UTC • Stars: 1

Simple python script to fuzz site for CVE-2017-9805

0x00-0x00/-CVE-2017-9805

Type: github • Created: 2017-11-24 14:46:35 UTC • Stars: 16

Exploit script for Apache Struts2 REST Plugin XStream RCE (‎CVE-2017-9805)

Lone-Ranger/apache-struts-pwn_CVE-2017-9805

Type: github • Created: 2017-09-10 05:26:03 UTC • Stars: 5

An exploit for Apache Struts CVE-2017-9805

mazen160/struts-pwn_CVE-2017-9805

Type: github • Created: 2017-09-09 01:32:57 UTC • Stars: 250

An exploit for Apache Struts CVE-2017-9805

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Added to KEVIntel

  • Detected by Nuclei

  • Detected by Metasploit