Home > Security Bulletins > S2-019


Dynamic Method Invocation disabled by default

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Dynamic method executions

Maximum security rating



Developers should immediately upgrade to Struts

Affected Software

Struts 2.0.0 - Struts


shine@wooyun.org, HelloWorld security team

CVE Identifier



Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.


In Struts the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation to false in struts.xml

<constant name="struts.enable.DynamicMethodInvocation" value="false"/>

Backward Compatibility

Disabling Dynamic Method Invocation can break your application if it uses DMI heavily. Nevertheless, please consider to refactor your application to avoid DMI.

It is strongly recommended to upgrade to Struts, which contains the corrected Struts2-Core library.