[
https://issues.apache.org/jira/browse/FILEUPLOAD-366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18020827#comment-18020827
]
Q commented on FILEUPLOAD-366:
------------------------------
I stand corrected! Thank you for the reply!
> java.lang.NoSuchFieldError: INSTANCE - field removed from 1.5 after fixing
> CVE-2025-48976
> -----------------------------------------------------------------------------------------
>
> Key: FILEUPLOAD-366
> URL: https://issues.apache.org/jira/browse/FILEUPLOAD-366
> Project: Commons FileUpload
> Issue Type: Bug
> Affects Versions: 1.6.0
> Environment: App running Tomcat 9/Java 11 - however this is not
> relevant
> Reporter: Q
> Priority: Major
>
> I'm working on upgrading a Struts 1.3-based application to address the
> CVE-2025-48976 vulnerability:
> {quote}{*}CVE-2025-48976{*}: A denial-of-service (DoS) vulnerability in
> Apache Commons FileUpload due to insufficient limits when processing
> multipart headers.
> Affected versions:
> * 1.0 through 1.5
> * 2.0.0-M1 through 2.0.0-M3
> The issue is resolved in versions *1.6* and {*}2.0.0-M4{*}.
> {quote}
> The application runs without issues using FileUpload 1.5, but when I upgrade
> to 1.6.0, I encounter the following error at runtime:
> Caused by: java.lang.NoSuchFieldError: INSTANCE
> at org.apache.commons.fileupload.util.Streams.copy(Streams.java:151)
> ...
> at
> org.apache.struts.upload.CommonsMultipartRequestHandler.handleRequest(CommonsMultipartRequestHandler.java:186)
> It seems that a field ({{{}INSTANCE{}}}) previously available is now missing
> in version 1.6.0, but I haven’t found any documentation explaining its
> removal.
> Has anyone else run into this issue after upgrading? Any known workarounds or
> compatibility notes for Struts 1.3 with Commons FileUpload 1.6?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
