Years-Old Vulnerable Apache Struts 2 Versions See 387K Weekly Downloads

The resurgence of outdated Apache Struts binaries underscores a broader supply‑chain challenge: legacy components linger in production long after vendors cease support. Sonatype’s data shows that nearly four hundred thousand developers or automated tools still fetch EOL versions, creating a fertile ground for attackers to exploit known weaknesses. This pattern is not isolated to Struts; it mirrors the growing inventory of unmaintained libraries that inflate an organization’s attack surface and complicate compliance efforts.

What makes this episode notable is the role of AI in vulnerability discovery. Zast AI, an autonomous research platform, flagged the unsafe XML parsing bug faster than traditional manual audits. While AI accelerates identification, it also compresses the window between disclosure and exploitation, leaving teams scrambling to patch. The CVE‑2025‑68493 flaw, with an 8.8 CVSS score, enables crafted inputs to force infinite loops, draining server resources and causing denial‑of‑service conditions. The speed of AI‑driven detection therefore demands equally rapid response mechanisms, such as automated alerts and continuous integration checks.

Mitigating the risk hinges on inventory hygiene and swift migration to the secure Struts 6.1.1 release, which hardens the XML parser against malicious payloads. Enterprises should leverage Software Bill of Materials (SBOMs) and dependency‑tracking tools to locate vulnerable Struts instances across codebases and runtime environments. Coupling these practices with DevSecOps pipelines—where patches are tested and deployed automatically—reduces exposure and aligns with regulatory expectations. As the market increasingly scrutinizes legacy software risk, proactive upgrade strategies will become a competitive differentiator for security‑focused organizations.