A critical security flaw in Apache Struts could allow attackers to trigger disk exhaustion attacks, rendering affected systems unusable.
The vulnerability, tracked as CVE-2025-64775, stems from a file leak in multipart request processing that enables denial-of-service conditions.
Apache Struts researcher discovered the vulnerability in Apache Struts’ multipart request processing mechanism. The flaw allows attackers to exploit file-handling operations, leading to uncontrolled file accumulation on the server.
Critical Flaw Enables Disk Exhaustion Attacks
As disk space depletes, applications become unresponsive and crash, disrupting business operations and services.
The vulnerability affects multiple Struts versions, including those that have reached end-of-life status.
Organizations running unsupported versions face heightened risk as they no longer receive security updates from Apache.
| Field | Details |
|---|---|
| CVE Identifier | CVE-2025-64775 |
| Problem | File leak in multipart request processing causes disk exhaustion (DoS) |
| Impact | Denial of service |
| Affected Software | Struts 2.0.0-2.3.37 (EOL), Struts 2.5.0-2.5.33 (EOL), Struts 6.0.0-6.7.0, Struts 7.0.0-7.0.3 |
All Struts 2 developers, system administrators, and security teams maintaining applications built on the Apache Struts framework should immediately assess their exposure to CVE-2025-64775.
The vulnerability has an Important security rating and can cause complete denial-of-service. Attackers require no authentication to exploit this flaw, making it particularly dangerous for internet-facing applications.
Once exploited, organizations experience service disruptions, potential data loss, and operational downtime during system restoration.
All Apache Struts versions from 2.0.0 to 2.3.37 and 2.5.0 to 2.5.33 are End-of-Life (EOL), while versions 6.0.0 to 6.7.0 and 7.0.0 to 7.0.3 are currently vulnerable. Organizations running EOL versions face compounding risks from unpatched vulnerabilities.
Apache Software Foundation strongly recommends upgrading to Struts 6.8.0 or newer within the 6.x branch. Alternatively, organizations can upgrade to Struts 7.1.1 or later.
The patch addresses the file-leak issue while maintaining backward compatibility, ensuring existing applications continue to function without code modifications.
Security teams should prioritize patching internet-facing Struts applications and conduct thorough testing in development environments before deploying to production.
Organizations unable to immediately upgrade should implement monitoring for disk usage anomalies and consider temporary workarounds such as restricting multipart request sizes.
The Apache Struts team responded quickly to the disclosure, releasing patched versions that resolve the disk exhaustion vulnerability. Organizations should treat this as a high-priority patch and include it in their next maintenance window.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
