Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS)
Description
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.
This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3.
Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Struts multipart processing file leak exhausts disk space, causing denial of service; fixed in 6.8.0 and 7.1.1.
Vulnerability
CVE-2025-64775 is a denial of service vulnerability in Apache Struts arising from a file leak during multipart request processing. When file upload is enabled, temporary files are not properly cleaned up, leading to disk exhaustion [1][3][4].
Exploitation
An attacker can exploit this by sending a high volume of multipart requests, causing temporary files to accumulate on the server's filesystem. No authentication is required if the application exposes file upload functionality [3].
Impact
Successful exploitation results in disk exhaustion, rendering the application unresponsive and causing a denial of service. This can impact all users of the affected versions [1][4].
Mitigation
The issue is fixed in Apache Struts 6.8.0 and 7.1.1. As a workaround, administrators can define a temporary folder with size limits or on a dedicated volume, or disable file upload support if not needed [3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | >= 6.0.0, < 6.8.0 | 6.8.0 |
org.apache.struts:struts2-coreMaven | >= 7.0.0, < 7.1.1 | 7.1.1 |
org.apache.struts:struts2-coreMaven | >= 2.0.0, <= 2.3.37 | — |
org.apache.struts:struts2-coreMaven | >= 2.5.0, <= 2.5.33 | — |
Affected products
2- Apache Software Foundation/Apache Strutsv5Range: 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- cwiki.apache.org/confluence/display/WW/S2-068ghsavendor-advisoryWEB
- github.com/advisories/GHSA-xx7v-hqxh-cjr9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64775ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/12/01/2ghsaWEB
News mentions
0No linked articles in our index yet.