Apache Struts 2 DoS Vulnerability Let Attackers Crash Server
A critical denial-of-service vulnerability has been discovered in Apache Struts 2, affecting multiple versions of the popular web application framework.
The vulnerability, identified as CVE-2025-64775, exploits a file leak in multipart request processing that can cause disk exhaustion and server crashes.
Organizations running affected versions should prioritize patching immediately to prevent potential service disruptions. The flaw exists in Apache Struts 2’s file upload functionality when enabled.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-64775 |
| Impact | Denial-of-Service |
| Severity | Important |
| Fixed Versions | Struts 6.8.0+, Struts 7.1.1+ |
| Patch Status | Backward Compatible |
A file leak in multipart request processing causes disk exhaustion by allowing attackers to fill storage capacity without proper cleanup or resource management.
This results in a complete denial of service as the server becomes unable to process legitimate requests when disk space is exhausted.
Security researcher Nicolas Fournier discovered the vulnerability. This advisory is critical for all Apache Struts 2 developers, system administrators, and organizations deploying Struts-based applications.
Any organization with file upload capabilities enabled should immediately assess its environment and apply necessary patches.
Multiple versions across four major release lines are impacted.
| Versions | Status | Recommendation |
|---|---|---|
| Struts 2.0.0 – 2.3.37 | EOL & Vulnerable | Upgrade immediately |
| Struts 2.5.0 – 2.5.33 | EOL & Vulnerable | Upgrade immediately |
| Struts 6.0.0 – 6.7.4 | Vulnerable | Update required |
| Struts 7.0.0 – 7.0.3 | Vulnerable | Update required |
| 6.8.0+ or 7.1.1+ | Safe | Use minimum recommended versions |
Struts 2.0.0 through 2.3.37 are affected, though this version line reached end-of-life. Struts 2.5.0 through 2.5.33 are also vulnerable but similarly reached end-of-life status.
More critically, Struts 6.0.0 through 6.7.4 and Struts 7.0.0 through 7.0.3 remain actively maintained and require immediate updates. Organizations should upgrade to Struts 6.8.0 or Struts 7.1.1 at a minimum.
The patches are backward compatible, ensuring smooth transitions without breaking existing functionality.
Those unable to upgrade immediately can implement workarounds by configuring dedicated temporary folders with limited storage or by turning off file upload support if it is not required for operations.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Apache Struts 2 DoS Vulnerability Let Attackers Crash Server appeared first on Cyber Security News.
Abinaya
Go to cyber-security-news