Java and Apache Struts: why CVE-2017-5638 is still a textbook case

An old flaw that is still worth studying

Apache Struts advisory S2-045 described CVE-2017-5638 as possible remote code execution during file upload handling in the Jakarta Multipart parser. The exploit path used a malicious Content-Type header.

Why revisit it in 2026? Because it perfectly illustrates the risk of legacy internet-facing frameworks that stay in production far longer than they should.

What made it dangerous

Apache rated it as critical and recommended upgrading to Struts 2.3.32 or 2.5.10.1. In practice, the issue was severe because it hit a routine business function, file upload, present in many administrative and transactional applications.

The Struts case shows that an old, mature component does not automatically become safer with age. Very often it accumulates code, historical usage patterns, and production environments that are hard to migrate.

What this says about Java

This is not an indictment of the language. It is a warning about enterprise web frameworks that remain online for years. The older the application surface, the more operational debt matters.

In 2026, Struts systems are not the dominant startup stack, but they still exist in critical systems, portals, extranets, and long-lived business products.

Common warning signs

Our view

In any article about dangerous technologies and representative CVEs, Struts deserves a place because it reminds us of something simple: in security, danger often comes less from the language than from the age of the framework and the inertia around patching it.

CVE-2017-5638 is still a textbook case for any team maintaining legacy Java web systems: if you do not know exactly what is still running, you do not yet know your real risk.