A new security flaw has been found in Apache Struts, a popular open‑source web application framework used by many companies worldwide.
The issue, tracked as CVE‑2025‑64775, could allow attackers to fill a server’s disk space, causing it to stop working correctly.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-64775 |
| Vulnerability Title | Apache Struts flaw allows attackers to launch disk exhaustion (DoS) attacks |
| Vendor / Project | Apache Software Foundation |
| Product | Apache Struts 2 |
Multipart requests are often used when users upload files through web forms. Due to a file leak during this process, temporary files may not be cleaned up correctly.
An attacker can abuse this behavior to create many large temporary files until the disk is full.
When the disk fills up, the server can no longer store data or logs, leading to a denial-of-service (DoS) attack. In other words, the website or application using Struts may become slow, unstable, or entirely unavailable for regular users.
The Apache Struts team has rated the maximum security impact of this flaw as “Important”. While it is not in the highest “Critical” category, it is still severe enough that all users are strongly urged to take action.
According to an advisory from Apache Struts developer Lukasz Lenart, last updated on November 11, 2025, the problem stems from how Struts handles multipart requests.
The vulnerability affects a wide range of Struts versions, including:
- Struts 2.0.0 through 2.3.37 (now end‑of‑life)
- Struts 2.5.0 through 2.5.33 (also end‑of‑life)
- Struts 6.0.0 through 6.7.0
- Struts 7.0.0 through 7.0.3
Nicolas Fournier reported the flaw, and there is currently no workaround available. That means users cannot simply change a configuration setting or apply a small patch to avoid the problem.
Instead, the only recommended solution is to upgrade to a fixed version of Struts. The project maintainers advise all users to move to:
- Struts 6.8.0 or later in the 6.x line, or
- Struts 7.1.1 or later in the 7.x line.
The team notes that these updates are backward compatible, so applications should continue to work as before in most cases after the upgrade.
Security experts warn that organizations still running older, unsupported Struts versions (such as 2.3.x or 2.5.x) face even higher risk, because those branches no longer receive security fixes.
Companies are encouraged to review their systems, identify any use of vulnerable Struts versions, and schedule upgrades as soon as possible to reduce the chance of a disruptive disk exhaustion attack.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.