A newly disclosed security flaw in Apache Struts could let attackers trigger disk exhaustion attacks, potentially making affected servers slow, unstable, or completely unusable.
How the Vulnerability Works
Researchers found that Struts’ multipart request processing can mishandle file-related operations. When abused, the server keeps generating files without proper cleanup.
As the disk fills, applications freeze, crash, and stop responding — impacting business services.
The issue affects several Struts releases, including many end-of-life (EOL) versions that no longer receive security patches.
Organizations using older or unsupported Struts versions face the highest risk. Attackers do not need authentication to exploit the bug, making it especially dangerous for public-facing sites.
CVE Details
| Field | Details |
|---|---|
| CVE ID | CVE-2025-64775 |
| Issue | File leak in multipart processing causes disk exhaustion |
| Impact | Denial of Service (DoS) |
| Affected Versions | Struts 2.0.0–2.3.37 (EOL), 2.5.0–2.5.33 (EOL), 6.0.0–6.7.0, 7.0.0–7.0.3 |
If exploited, this flaw can cause serious disruptions. Servers may run out of disk space, applications can crash, and services may go offline, leading to downtime, potential data loss, and costly recovery efforts. The risk is even higher for organizations using end-of-life Struts versions, since those releases no longer receive security updates.
Recommended Fixes
The Apache Software Foundation recommends upgrading immediately:
- Struts 6 users: move to 6.8.0 or newer
- Struts 7 users: update to 7.1.1 or later
The patch fixes the file-leak issue and maintains backward compatibility, so existing applications should continue to work without code changes.
If upgrading right away is not possible, organizations should:
- Monitor disk space closely
- Limit multipart upload sizes
- Reduce exposure of public-facing endpoints
Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!
Leave A Comment