Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAMopvkNA3BCPxeo5ndy9eRntyTf_B37pdTCd5ZgCqOOpZ=208Q@mail.gmail.com>
Date: Wed, 10 Dec 2025 08:11:24 +0100
From: Lukasz Lenart <lukaszlenart@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-66675: Apache Struts: File leak in multipart request
 processing causes disk exhaustion (DoS) - version ranges fixed

Severity: important

Affected versions:
- Apache Struts (org.apache.struts:struts2-core) 2.0.0 through 6.7.*
- Apache Struts (org.apache.struts:struts2-core) 7.0.0 through 7.0.*

Description:
Denial of Service vulnerability in Apache Struts, file leak in
multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0
through 7.0.3.
Users are recommended to upgrade to version 6.8.0 or 7.1.1, which
fixes the issue.

It's related to https://cve.org/CVERecord?id=CVE-2025-64775  - this
CVE addresses missing affected version 6.7.4

Credit:
Nicolas Fournier (reporter)

References:
https://cwiki.apache.org/confluence/display/WW/S2-068
https://cve.org/CVERecord?id=CVE-2025-64775
https://cve.org/CVERecord?id=CVE-2025-66675
https://struts.apache.org/


Kind regards
Ɓukasz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.