CWE-104 Variant Draft

Struts: Form Bean Does Not Extend Validation Class

Definition

What is CWE-104?

This vulnerability occurs in Apache Struts applications when a form bean class does not properly extend the framework's validation class. This bypasses the built-in Validator framework, leaving the application without structured input validation and open to various injection and data manipulation attacks.

In Struts, the Validator framework provides a centralized, declarative way to validate user input across forms. When a developer creates a form bean that doesn't extend `ActionForm` (or its Validator subclass), the application misses out on this essential security layer. Instead, input checks become ad-hoc, inconsistent, or entirely absent, making every data field a potential entry point for malicious data. To prevent this, always ensure your form beans inherit from the appropriate validation-enabled class, such as `ValidatorForm`. This enforces validation rules defined in your `validation.xml` configuration file, ensuring all user input is cleaned and checked before processing. Consistently using the framework's validation mechanism is far more reliable and secure than attempting to manually validate each input throughout your codebase.

Real-world impact

Real-world CVEs caused by CWE-104

No public CVE references are linked to this CWE in MITRE's catalog yet.

How attackers exploit it

Step-by-step attacker path

1
In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.
2
However, the RegistrationForm class extends the Struts ActionForm class which does not allow the RegistrationForm class to use the Struts validator capabilities. When using the Struts framework to maintain user data in an ActionForm Bean, the class should always extend one of the validator classes, ValidatorForm, ValidatorActionForm, DynaValidatorForm or DynaValidatorActionForm. These validator classes provide default validation and the validate method for custom validation for the Bean object to use for validating input data. The following Java example shows the RegistrationForm class extending the ValidatorForm class and implementing the validate method for validating input data.
3
Note that the ValidatorForm class itself extends the ActionForm class within the Struts framework API.

Vulnerable code example

Vulnerable Java

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user information from a registration webpage for an online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.

Vulnerable Java

public class RegistrationForm extends org.apache.struts.action.ActionForm {
  		// private variables for registration form
  		private String name;
  		private String email;
  		...
  		public RegistrationForm() {
  			super();
  		}
  		// getter and setter methods for private variables
  		...
  }

Secure code example

Secure Java

However, the RegistrationForm class extends the Struts ActionForm class which does not allow the RegistrationForm class to use the Struts validator capabilities. When using the Struts framework to maintain user data in an ActionForm Bean, the class should always extend one of the validator classes, ValidatorForm, ValidatorActionForm, DynaValidatorForm or DynaValidatorActionForm. These validator classes provide default validation and the validate method for custom validation for the Bean object to use for validating input data. The following Java example shows the RegistrationForm class extending the ValidatorForm class and implementing the validate method for validating input data.

Secure Java

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
  		// private variables for registration form
  		private String name;
  		private String email;
  		...
  		public RegistrationForm() {
  			super();
  		}
  		public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}
  		// getter and setter methods for private variables
  		...
  }

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-104

Implementation Ensure that all forms extend one of the Validation Classes.

Detection signals

How to detect CWE-104

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus auto-fix

Plexicus auto-detects CWE-104 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-104?

How serious is CWE-104?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-104?

MITRE lists the following affected platforms: Java.

How can I prevent CWE-104?

Ensure that all forms extend one of the Validation Classes.

How does Plexicus detect and fix CWE-104?

Plexicus's SAST engine matches the data-flow signature for CWE-104 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-104?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/104.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-104

CWE-573 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Struts: Form Bean Does Not Extend Validation Class

What is CWE-104?

Real-world CVEs caused by CWE-104

Step-by-step attacker path

Vulnerable Java

Secure Java

How to prevent CWE-104

How to detect CWE-104

Plexicus auto-detects CWE-104 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-104

Improper Following of Specification by Caller

Struts: Incomplete validate() Method Definition

Creation of chroot Jail Without Changing Working Directory

Incorrect Check of Function Return Value

Improper Following of a Certificate's Chain of Trust

Missing Critical Step in Authentication

Missing Cryptographic Step

Generation of Predictable IV with CBC Mode

Improperly Implemented Security Check for Standard

Further reading

Don't Let Security
Weigh You Down.

Struts: Form Bean Does Not Extend Validation Class

What is CWE-104?

Real-world CVEs caused by CWE-104

Step-by-step attacker path

Vulnerable Java

Secure Java

How to prevent CWE-104

How to detect CWE-104

Plexicus auto-detects CWE-104 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-104

Improper Following of Specification by Caller

Struts: Incomplete validate() Method Definition

Creation of chroot Jail Without Changing Working Directory

Incorrect Check of Function Return Value

Improper Following of a Certificate's Chain of Trust

Missing Critical Step in Authentication

Missing Cryptographic Step

Generation of Predictable IV with CBC Mode

Improperly Implemented Security Check for Standard

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.