|Home > Security Bulletins > S2-019|
Dynamic Method Invocation disabled by default
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Dynamic method executions
Maximum security rating
Developers should immediately upgrade to Struts 220.127.116.11
Struts 2.0.0 - Struts 18.104.22.168
firstname.lastname@example.org, HelloWorld security team
Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.
In Struts 22.214.171.124 the Dynamic Method Invocation is to false by default. Another option is to set
struts.enable.DynamicMethodInvocation to false in struts.xml
Disabling Dynamic Method Invocation can break your application if it uses DMI heavily. Nevertheless, please consider to refactor your application to avoid DMI.
It is strongly recommended to upgrade to Struts 126.96.36.199, which contains the corrected Struts2-Core library.