CVE-2006-1547: Improper Input Validation in Apache Struts

May 1, 2022 (updated October 22, 2025)

ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.

References

exchange.xforce.ibmcloud.com/vulnerabilities/25613
github.com/advisories/GHSA-7qwv-cwgj-c8rj
github.com/apache/struts
nvd.nist.gov/vuln/detail/CVE-2006-1547
www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2006-1547

Code Behaviors & Features

Detect and mitigate CVE-2006-1547 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →