Q created FILEUPLOAD-366:
----------------------------
Summary: java.lang.NoSuchFieldError: INSTANCE - field removed from
1.5 after fixing CVE-2025-48976
Key: FILEUPLOAD-366
URL: https://issues.apache.org/jira/browse/FILEUPLOAD-366
Project: Commons FileUpload
Issue Type: Bug
Affects Versions: 1.6.0
Environment: App running Tomcat 9/Java 11 - however this is not
relevant
Reporter: Q
I'm working on upgrading a Struts 1.3-based application to address the
CVE-2025-48976 vulnerability:
{quote}{*}CVE-2025-48976{*}: A denial-of-service (DoS) vulnerability in Apache
Commons FileUpload due to insufficient limits when processing multipart headers.
Affected versions:
* 1.0 through 1.5
* 2.0.0-M1 through 2.0.0-M3
The issue is resolved in versions *1.6* and {*}2.0.0-M4{*}.
{quote}
The application runs without issues using FileUpload 1.5, but when I upgrade to
1.6.0, I encounter the following error at runtime:
Caused by: java.lang.NoSuchFieldError: INSTANCE
at org.apache.commons.fileupload.util.Streams.copy(Streams.java:151)
...
at
org.apache.struts.upload.CommonsMultipartRequestHandler.handleRequest(CommonsMultipartRequestHandler.java:186)
It seems that a field ({{{}INSTANCE{}}}) previously available is now missing in
version 1.6.0, but I haven’t found any documentation explaining its removal.
Has anyone else run into this issue after upgrading? Any known workarounds or
compatibility notes for Struts 1.3 with Commons FileUpload 1.6?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
