Home > Security Bulletins > S2-024


Wrong excludeParams overrides those defined in DefaultExcludedPatternsChecker

Who should read this

All Struts 2 developers and users

Impact of vulnerability

If default settings are used, the attacker can compromise internal state of an application

Maximum security rating



Developers should immediately upgrade to Struts or introduce the below change in framework's settings

Affected Software

Struts 2.3.20


Jasper Rosenberg at Cargurus

CVE Identifier



Wrong default exclude patterns were introduced in version 2.3.20 of Struts, if default settings are used, the attacker can compromise internal application's state.


In Struts a better set of exlude patterns was defined.

Backward compatibility

No backward compatibility problems are expected.


If you cannot migrate to the latest version it's highly recommended to re-define defaultStack from struts-default.xml to this one below (or any other which is used in your application and drop excludeParams parameter):

Redefined defaultStack
<interceptor-stack name="myDefaultStack">
    <interceptor-ref name="exception"/>
    <interceptor-ref name="alias"/>
    <interceptor-ref name="servletConfig"/>
    <interceptor-ref name="i18n"/>
    <interceptor-ref name="prepare"/>
    <interceptor-ref name="chain"/>
    <interceptor-ref name="scopedModelDriven"/>
    <interceptor-ref name="modelDriven"/>
    <interceptor-ref name="fileUpload"/>
    <interceptor-ref name="checkbox"/>
    <interceptor-ref name="datetime"/>
    <interceptor-ref name="multiselect"/>
    <interceptor-ref name="staticParams"/>
    <interceptor-ref name="actionMappingParams"/>
    <interceptor-ref name="params"/>
    <interceptor-ref name="conversionError"/>
    <interceptor-ref name="validation">
        <param name="excludeMethods">input,back,cancel,browse</param>
    <interceptor-ref name="workflow">
        <param name="excludeMethods">input,back,cancel,browse</param>
    <interceptor-ref name="debugging"/>
    <interceptor-ref name="deprecation"/>

and define the following constant in struts.xml

<constant name="struts.additional.excludedPatterns" value="^(action|method):.*"/>