CVE-2025-64775

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.0 through 6.7.0 Apache Struts versions 7.0.0 through 7.0.3

Description A denial of service issue exists in Apache Struts due to incomplete cleanup of temporary or auxiliary resources during the processing of multipart requests. Exploitation of this issue can lead to disk exhaustion as a result of a temporary file leak. Approximately 2.6 million instances are potentially exposed worldwide. An attacker can send a stream of malformed multipart requests, causing the server to create numerous orphaned temporary files, ultimately filling the disk and potentially crashing the server. The issue allows for unauthenticated attackers to trigger a denial of service. The vulnerable component handles multipart/form-data requests and creates temporary files, but fails to delete them in case of errors.

Recommendations Upgrade to Apache Struts version 6.8.0 or later. Upgrade to Apache Struts version 7.1.1 or later. As a temporary workaround, limit the size of the temporary file partition. As a temporary workaround, implement rate limiting on multipart request endpoints. As a temporary workaround, monitor the growth of temporary files.