CVE-2025-64775 – This vulnerability in Apache Struts allows atta... (How to Fix)

Q: What is the severity of CVE-2025-64775?

CVE-2025-64775 has a CVSS score of 7.5 (HIGH). This vulnerability in Apache Struts allows attackers to cause a denial of service through disk exhaustion by exploiting a file leak in multipart request processing. It affects all Apache Struts installations from versions 2.0.0 through 6.7.0 and 7.0.0 through 7.0.3. Attackers can send specially crafted multipart requests that cause temporary files to accumulate without cleanup.

📋 TL;DR

This vulnerability in Apache Struts allows attackers to cause a denial of service through disk exhaustion by exploiting a file leak in multipart request processing. It affects all Apache Struts installations from versions 2.0.0 through 6.7.0 and 7.0.0 through 7.0.3. Attackers can send specially crafted multipart requests that cause temporary files to accumulate without cleanup.

💻 Affected Systems

Products:

Apache Struts

Versions: 2.0.0 through 6.7.0, 7.0.0 through 7.0.3

Operating Systems: All operating systems running affected Struts versions

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using multipart request processing are vulnerable. Applications not using file upload functionality may still be affected if multipart processing is enabled.

📦 What is this software?

Struts by Apache

View all CVEs affecting Struts →

Struts by Apache

View all CVEs affecting Struts →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disk exhaustion leading to system crash, service unavailability, and potential data corruption if critical system partitions fill up.

🟠

Likely Case

Degraded application performance, service interruptions, and potential application crashes as disk space becomes exhausted.

🟢

If Mitigated

Minimal impact with proper monitoring and disk space management, though still vulnerable to targeted attacks.

🌐 Internet-Facing: HIGH - Internet-facing Struts applications are directly exposed to exploitation without authentication.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but require network access and may have additional controls.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit and public proof-of-concept code is available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.8.0 or 7.1.1

Vendor Advisory: https://cwiki.apache.org/confluence/display/WW/S2-068

Restart Required: Yes

Instructions:

1. Identify your Struts version. 2. Download Struts 6.8.0 (for 2.x/6.x) or 7.1.1 (for 7.x). 3. Replace the Struts JAR files in your application. 4. Restart your application server. 5. Test application functionality.

🔧 Temporary Workarounds

Disable multipart request processing

all

If your application doesn't require file uploads, disable multipart request handling in Struts configuration.

In struts.xml: <constant name="struts.multipart.enabled" value="false" />

Implement request filtering

all

Use web application firewall or reverse proxy to filter suspicious multipart requests.

Configure WAF rules to limit multipart request size and frequency

🧯 If You Can't Patch

Implement strict disk space monitoring and alerts for temporary directories
Deploy network-level controls to limit multipart request rates and sizes

🔍 How to Verify

Check if Vulnerable:

Check your Struts version against affected ranges. Examine application logs for excessive temporary file creation in multipart processing directories.

Check Version:

Check WEB-INF/lib for struts2-core-*.jar version or examine Maven/Gradle dependencies

Verify Fix Applied:

Verify Struts version is 6.8.0+ or 7.1.1+. Test multipart file upload functionality works correctly without disk space issues.

📡 Detection & Monitoring

Log Indicators:

Rapid growth of temporary files in upload directories
Disk space alerts
Multiple failed multipart request attempts

Network Indicators:

High volume of multipart POST requests
Unusually large file upload attempts
Requests with malformed multipart boundaries

SIEM Query:

source="*struts*" AND ("multipart" OR "upload") AND ("disk full" OR "no space" OR "temp file")

📊 Metadata

CVE ID: CVE-2025-64775

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-459

EPSS Score: 0.11% exploit probability (28.8th percentile)

Published: December 1, 2025

Last Updated: January 26, 2026

🔗 References

https://cwiki.apache.org/confluence/display/WW/S2-068 Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/12/01/2 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64775, you might also want to check these: