A essential safety flaw in Apache Struts may enable attackers to set off disk exhaustion assaults, rendering affected methods unusable.
The vulnerability, tracked as CVE-2025-64775, stems from a file leak in multipart request processing that allows denial-of-service circumstances.
Apache Struts researcher found the vulnerability in Apache Struts’ multipart request processing mechanism. The flaw permits attackers to use file-handling operations, resulting in uncontrolled file accumulation on the server.
Vital Flaw Allows Disk Exhaustion Assaults
As disk house depletes, purposes develop into unresponsive and crash, disrupting enterprise operations and providers.
The vulnerability impacts a number of Struts variations, together with people who have reached end-of-life standing.
Organizations working unsupported variations face heightened threat as they now not obtain safety updates from Apache.
FieldDetailsCVE IdentifierCVE-2025-64775ProblemFile leak in multipart request processing causes disk exhaustion (DoS)ImpactDenial of serviceAffected SoftwareStruts 2.0.0-2.3.37 (EOL), Struts 2.5.0-2.5.33 (EOL), Struts 6.0.0-6.7.0, Struts 7.0.0-7.0.3
All Struts 2 builders, system directors, and safety groups sustaining purposes constructed on the Apache Struts framework ought to instantly assess their publicity to CVE-2025-64775.
The vulnerability has an Vital safety score and may trigger full denial-of-service. Attackers require no authentication to use this flaw, making it notably harmful for internet-facing purposes.
As soon as exploited, organizations expertise service disruptions, potential knowledge loss, and operational downtime throughout system restoration.
All Apache Struts variations from 2.0.0 to 2.3.37 and a pair of.5.0 to 2.5.33 are Finish-of-Life (EOL), whereas variations 6.0.0 to six.7.0 and seven.0.0 to 7.0.3 are presently susceptible. Organizations working EOL variations face compounding dangers from unpatched vulnerabilities.
Apache Software program Basis strongly recommends upgrading to Struts 6.8.0 or newer throughout the 6.x department. Alternatively, organizations can improve to Struts 7.1.1 or later.
The patch addresses the file-leak problem whereas sustaining backward compatibility, making certain present purposes proceed to operate with out code modifications.
Safety groups ought to prioritize patching internet-facing Struts purposes and conduct thorough testing in growth environments earlier than deploying to manufacturing.
Organizations unable to instantly improve ought to implement monitoring for disk utilization anomalies and take into account non permanent workarounds equivalent to limiting multipart request sizes.
The Apache Struts crew responded rapidly to the disclosure, releasing patched variations that resolve the disk exhaustion vulnerability. Organizations ought to deal with this as a high-priority patch and embody it of their subsequent upkeep window.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
