Summary

File leak in multipart request processing causes disk exhaustion (DoS)

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Denial of service

Maximum security rating

Important

Recommendation

Upgrade to Struts 6.8.0 or 7.1.1 at least

Affected Software

  • Struts 2.0.0 through Struts 2.3.37 (EOL)
  • Struts 2.5.0 through Struts 2.5.33 (EOL)
  • Struts 6.0.0 through Struts 6.7.4
  • Struts 7.0.0 through Struts 7.0.3

Reporters

Nicolas Fournier

CVE Identifier

CVE-2025-64775

Problem

File leak in multipart request processing causes disk exhaustion.

Solution

Upgrade to Struts 6.8.0 or upgrade to Struts 7.1.1 at least.

Backward compatibility

This change is backward compatible.

Workaround

Define a temporary folder used to store uploaded files with limited size or on the dedicated volume which won't affect system files.

  • No labels