Cybersecurity Vulnerabilities

Urgent: Apache Struts Vulnerable to Disk Exhaustion Attack (CVE-2025-64775)

December 1, 2025 - By 

Overview

A critical denial-of-service (DoS) vulnerability, tracked as CVE-2025-64775, has been identified in Apache Struts. This flaw stems from improper handling of multipart requests, potentially leading to excessive file creation and subsequent disk exhaustion. Exploitation of this vulnerability could render affected Struts applications unavailable.

Technical Details

The vulnerability resides in the multipart request processing mechanism within Apache Struts. An attacker can craft a malicious multipart request that causes the application to create numerous temporary files, rapidly filling up the available disk space. This ultimately results in a denial-of-service condition as the server becomes unable to function correctly due to disk exhaustion.

This issue affects Apache Struts versions 2.0.0 through 6.7.0 and 7.0.0 through 7.0.3.

CVSS Analysis

Currently, a CVSS score is not yet available for CVE-2025-64775. However, given the potential for complete denial of service, it is expected that the score will be high, potentially in the High or Critical range. We will update this section as soon as the CVSS score is finalized. This rating is based on the Common Vulnerability Scoring System (CVSS).

Possible Impact

The primary impact of CVE-2025-64775 is denial of service. Successful exploitation can lead to:

  • Application Unavailability: The Struts application becomes unresponsive and unavailable to legitimate users.
  • Server Instability: The entire server hosting the Struts application may become unstable due to disk exhaustion, potentially impacting other applications running on the same server.
  • Data Loss or Corruption (Indirect): Although not a direct consequence, an unstable server can increase the risk of data loss or corruption.

Mitigation and Patch Steps

The recommended course of action is to immediately upgrade your Apache Struts installation to one of the following patched versions:

  • Upgrade to version 6.8.0
  • Upgrade to version 7.1.1

These versions contain the necessary fixes to address the vulnerability in multipart request processing.

If immediate upgrade is not possible, consider implementing temporary mitigations such as:

  • Rate Limiting: Implement rate limiting on multipart request handling to limit the number of requests processed within a given timeframe.
  • Request Size Limits: Enforce strict limits on the size of multipart requests to prevent excessively large requests.
  • Disk Monitoring: Implement proactive disk space monitoring and alerting to identify and respond to potential disk exhaustion issues.

References

Apache Struts Security Bulletin: S2-068

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *