{"cve":{"cve_id":"CVE-2017-9805","is_kev":true,"kev_date_added":"2021-11-03","kev_vendor_project":"Apache","kev_product":"Struts","kev_vulnerability_name":"Apache Struts Deserialization of Untrusted Data Vulnerability","kev_short_description":"Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.","kev_required_action":"Apply updates per vendor instructions.","kev_due_date":"2022-05-03","kev_known_ransomware":false,"kev_notes":"https://nvd.nist.gov/vuln/detail/CVE-2017-9805","kev_cwes":["CWE-502"],"epss_score":0.99461,"epss_percentile":0.99938,"epss_as_of":"2026-06-23","description":"The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.","published_at":"2017-09-15T19:00:00Z","last_modified_at":null,"cvss_v3_score":8.1,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_v3_severity":"HIGH","cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":"active","ssvc_automatable":false,"ssvc_technical_impact":"total","cwes":["CWE-502"],"nvd_references":["http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html","https://struts.apache.org/docs/s2-052.html","http://www.securitytracker.com/id/1039263","http://www.securityfocus.com/bid/100609","https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2","https://bugzilla.redhat.com/show_bug.cgi?id=1488482","https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax","https://www.exploit-db.com/exploits/42627/","https://lgtm.com/blog/apache_struts_CVE-2017-9805","https://cwiki.apache.org/confluence/display/WW/S2-052","https://security.netapp.com/advisory/ntap-20170907-0001/","https://www.kb.cert.org/vuls/id/112992"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-24T00:09:31.350578Z","updated_at":"2026-06-28T23:10:24.539427Z"},"effective_severity":"HIGH","badges":["kev","poc","epss"],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"H","value_label":"High"},{"metric":"PR","name":"Privileges Required","value":"N","value_label":"None"},{"metric":"UI","name":"User Interaction","value":"N","value_label":"None"},{"metric":"S","name":"Scope","value":"U","value_label":"Unchanged"},{"metric":"C","name":"Confidentiality","value":"H","value_label":"High"},{"metric":"I","name":"Integrity","value":"H","value_label":"High"},{"metric":"A","name":"Availability","value":"H","value_label":"High"}]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"apache-software-foundation","vendor_name":"Apache Software Foundation","product_slug":"apache-struts","product_name":"Apache Struts","version_start":"Apache Struts before 2.3.34 and 2.5.x before 2.5.13","version_start_inclusive":true,"version_end":"Apache Struts before 2.3.34 and 2.5.x before 2.5.13","version_end_inclusive":true,"cpe23_uri":"cve5:apache-software-foundation:apache-struts:Apache Struts before 2.3.34 and 2.5.x before 2.5.13:Apache Struts before 2.3.34 and 2.5.x before 2.5.13"}],"exploit_refs":[{"source":"nuclei","kind":"nuclei","url":"https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-9805.yaml","title":"Apache Struts2 S2-052 - Remote Code Execution","author":"pikpikcu","disclosed_at":null}],"news":[],"references":[{"url":"http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html","source_type":"VENDOR_ADVISORY","tags":["advisory"]},{"url":"https://struts.apache.org/docs/s2-052.html","source_type":"MISC","tags":[]},{"url":"http://www.securitytracker.com/id/1039263","source_type":"MISC","tags":[]},{"url":"http://www.securityfocus.com/bid/100609","source_type":"MISC","tags":[]},{"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2","source_type":"VENDOR_ADVISORY","tags":["advisory"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1488482","source_type":"MISC","tags":[]},{"url":"https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax","source_type":"MISC","tags":[]},{"url":"https://www.exploit-db.com/exploits/42627/","source_type":"EXPLOIT","tags":["exploit"]},{"url":"https://lgtm.com/blog/apache_struts_CVE-2017-9805","source_type":"MISC","tags":[]},{"url":"https://cwiki.apache.org/confluence/display/WW/S2-052","source_type":"MISC","tags":[]},{"url":"https://security.netapp.com/advisory/ntap-20170907-0001/","source_type":"MISC","tags":[]},{"url":"https://www.kb.cert.org/vuls/id/112992","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2017-09-15T19:00:00Z","label":"CVE published","source":null},{"type":"cisa_reported","at":"2021-11-03T00:00:00Z","label":"Added to CISA KEV catalog","source":"kev"},{"type":"poc_available","at":"2026-06-24T00:29:48.638073Z","label":"Public PoC available","source":"nuclei"},{"type":"ssvc_changed","at":"2026-06-24T00:31:10.389451Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-24T00:31:10.389451Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"ssvc_changed","at":"2026-06-24T00:31:10.389451Z","label":"SSVC decision revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:10.389451Z","label":"CVSS score revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:10.389451Z","label":"CVSS score revised","source":"vulnrichment"},{"type":"cvss_changed","at":"2026-06-24T00:31:10.389451Z","label":"CVSS score revised","source":"vulnrichment"}]}