oss-security - CVE-2025-64775: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <CAMopvkP-=gOHFmF8ZHv4To1zBDtAGSJ26o5x-GX-otzr9iD=4g@mail.gmail.com>
Date: Mon, 1 Dec 2025 15:46:17 +0100
From: Lukasz Lenart <lukaszlenart@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-64775: Apache Struts: File leak in multipart request
 processing causes disk exhaustion (DoS) - S2-068

Severity: important

Affected versions:

- Apache Struts (org.apache.struts:struts2-core) 2.0.0 through 6.7.0
- Apache Struts (org.apache.struts:struts2-core) 7.0.0 through 7.0.3

Description:

Denial of Service vulnerability in Apache Struts, file leak in
multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0
through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which
fixes the issue.

Credit:

Nicolas Fournier (reporter)

References:

https://cwiki.apache.org/confluence/display/WW/S2-068
https://struts.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-64775

On behalf of the Apache Struts project
Łukasz Lenart

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.