Matthew Mcclain

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions through 2.5.30 Apache Struts versions through 6.1.2 **Description** The issue is related to the allocation of resources without limits or throttling, which can lead to a denial of service via out of memory (OOM) due to no sanity limit on normal form fields in multipart forms. When a Multipart request has non-file normal form fields, Struts brings them into memory as Strings without checking their sizes, potentially causing an OOM if the developer has set struts.multipart.maxSize to a value equal to or greater than the available memory. This can allow an unauthenticated attacker to expose assets in the environment susceptible to exploitation, with no impact to confidentiality, no impact to integrity, and high impact to availability. **Recommendations** Upgrade to Struts 2.5.31 or 6.1.2.1 or greater As a temporary workaround, consider restricting the use of multipart forms or setting a reasonable value for struts.multipart.maxSize to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions through 2.5.30 Apache Struts versions through 6.1.2 **Description** The issue is related to the allocation of resources without limits or throttling, which can lead to a denial of service via out of memory (OOM) due to not properly checking list bounds. When a Multipart request has non-file normal form fields, Struts brings them into memory as Strings without checking their sizes, potentially leading to OOM if the developer has set struts.multipart.maxSize to a value equal to or greater than the available memory. **Recommendations** Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. As a temporary workaround, consider setting a lower value for struts.multipart.maxSize to minimize the risk of exploitation. Restrict access to Multipart requests to minimize the risk of denial of service attacks.