|Home > Security Bulletins > S2-019|
Dynamic Method Invocation disabled by default
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Dynamic method executions
Maximum security rating
Developers should immediately upgrade to Struts 22.214.171.124
Struts 2.0.0 - Struts 126.96.36.199
email@example.com, HelloWorld security team
Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.
In Struts 188.8.131.52 the Dynamic Method Invocation is to false by default. Another option is to set
struts.enable.DynamicMethodInvocation to false in struts.xml
Disabling Dynamic Method Invocation can break your application if it uses DMI heavily. Nevertheless, please consider to refactor your application to avoid DMI.
It is strongly recommended to upgrade to Struts 184.108.40.206, which contains the corrected Struts2-Core library.