Apache Struts Denial of Service Vulnerability Allows Disk Exhaustion Attacks (CVE-2025-64775)

ByteVanguard Editor
December 16th, 2025
No Comments

The Apache Software Foundation disclosed a denial of service vulnerability in Apache Struts on December 1, 2025 (updated December 10). The flaw (CVE-2025-64775 and related CVE-2025-66675) allows attackers to exhaust server disk space through file leaks in multipart request processing.

Details of the Vulnerability

The issue is a file leak in the multipart request handler, where temporary files from form fields are not properly cleaned up. Repeated requests can fill the disk, crashing the application or server.

Impact and Recommendations

Causes disk exhaustion and denial of service
Affects file upload-enabled applications
No authentication required for exploitation
Upgrade to Apache Struts 6.8.0 or 7.1.1 immediately

Temporary files from regular form fields in multipart requests are not deleted, leading to rapid disk consumption. — Apache Struts Security Bulletin S2-068

Source and full details:

Read the official Apache Struts security bulletin here:

https://struts.apache.org/announce-2025.html

Comments are closed