CWE-608 Variant Draft

Struts: Non-private Field in ActionForm Class

This vulnerability occurs when an Apache Struts ActionForm class exposes a field without declaring it as private. This allows other parts of the application to directly read or modify the field's…

Definition

What is CWE-608?

This vulnerability occurs when an Apache Struts ActionForm class exposes a field without declaring it as private. This allows other parts of the application to directly read or modify the field's data, bypassing the intended setter and getter methods.

In Struts, ActionForm classes are designed to encapsulate user-submitted form data. When a field is not declared private, it breaks this fundamental principle of encapsulation. Any component within the same package or other classes can directly access and alter the field's value, leading to unpredictable application behavior, corrupted data states, and a breakdown of the framework's data validation and population workflow. This direct access bypasses the critical logic within the setter and getter methods, such as input validation, data sanitization, or type conversion. As a result, attackers or even other application modules can inject malicious or malformed data directly into the object. To fix this, always declare all fields in ActionForm classes as private and ensure all external interactions occur through well-defined public getter and setter methods.

Real-world impact

Real-world CVEs caused by CWE-608

No public CVE references are linked to this CWE in MITRE's catalog yet.

How attackers exploit it

Step-by-step attacker path

1
Identify a code path that handles untrusted input without validation.
2
Craft a payload that exercises the unsafe behavior — injection, traversal, overflow, or logic abuse.
3
Deliver the payload through a normal request and observe the application's reaction.
4
Iterate until the response leaks data, executes attacker code, or escalates privileges.

Vulnerable code example

Vulnerable Java

In the following Java example the class RegistrationForm is a Struts framework ActionForm Bean that will maintain user input data from a registration webpage for a online business site. The user will enter registration data and through the Struts framework the RegistrationForm bean will maintain the user data.

Vulnerable Java

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
  		// variables for registration form
  		public String name;
  		public String email;
  		...
  		public RegistrationForm() {
  			super();
  		}
  		public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}
  		...
  }

Secure code example

Secure Java

However, within the RegistrationForm the member variables for the registration form input data are declared public not private. All member variables within a Struts framework ActionForm class must be declared private to prevent the member variables from being modified without using the getter and setter methods. The following example shows the member variables being declared private and getter and setter methods declared for accessing the member variables.

Secure Java

public class RegistrationForm extends org.apache.struts.validator.ValidatorForm {
  		// private variables for registration form
  		private String name;
  		private String email;
  		...
  		public RegistrationForm() {
  			super();
  		}
  		public ActionErrors validate(ActionMapping mapping, HttpServletRequest request) {...}
  	// getter and setter methods for private variables
  	...
  }

What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.

Prevention checklist

How to prevent CWE-608

Implementation Make all fields private. Use getter to get the value of the field. Setter should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided.

Detection signals

How to detect CWE-608

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-608 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free

Frequently asked questions

What is CWE-608?

How serious is CWE-608?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-608?

MITRE lists the following affected platforms: Java.

How can I prevent CWE-608?

Make all fields private. Use getter to get the value of the field. Setter should be used only by the framework; setting an action form field from other actions is bad practice and should be avoided.

How does Plexicus detect and fix CWE-608?

Plexicus's SAST engine matches the data-flow signature for CWE-608 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-608?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/608.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-608

CWE-668 Parent

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.

Struts: Non-private Field in ActionForm Class

What is CWE-608?

Real-world CVEs caused by CWE-608

Step-by-step attacker path

Vulnerable Java

Secure Java

How to prevent CWE-608

How to detect CWE-608

Plexicus auto-detects CWE-608 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-608

Exposure of Resource to Wrong Sphere

Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

Assumed-Immutable Data is Stored in Writable Memory

Binding to an Unrestricted IP Address

Improper Isolation of Shared Resources in Network On Chip (NoC)

Use of Externally-Controlled Format String

Exposure of Sensitive Information to an Unauthorized Actor

Passing Mutable Objects to an Untrusted Method

Returning a Mutable Object to an Untrusted Caller

Further reading

Don't Let Security
Weigh You Down.

Struts: Non-private Field in ActionForm Class

What is CWE-608?

Real-world CVEs caused by CWE-608

Step-by-step attacker path

Vulnerable Java

Secure Java

How to prevent CWE-608

How to detect CWE-608

Plexicus auto-detects CWE-608 and opens a fix PR in under 60 seconds.

Frequently asked questions

Weaknesses related to CWE-608

Exposure of Resource to Wrong Sphere

Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

Assumed-Immutable Data is Stored in Writable Memory

Binding to an Unrestricted IP Address

Improper Isolation of Shared Resources in Network On Chip (NoC)

Use of Externally-Controlled Format String

Exposure of Sensitive Information to an Unauthorized Actor

Passing Mutable Objects to an Untrusted Method

Returning a Mutable Object to an Untrusted Caller

Further reading

Don't Let SecurityWeigh You Down.

Don't Let Security
Weigh You Down.