CVE-2025-66675 PUBLISHED

Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed

Assigner: apache
Reserved: 07.12.2025 Published: 10.12.2025 Updated: 10.12.2025

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

It's related to  https://cve.org/CVERecord?id=CVE-2025-64775  - this CVE addresses missing affected version 6.7.4

Product Status

Vendor Apache Software Foundation
Product Apache Struts
Versions Default: unaffected
  • affected from 2.0.0 to 6.7.* (incl.)
  • affected from 7.0.0 to 7.0.* (incl.)

Credits

  • Nicolas Fournier reporter

References

Problem Types

  • CWE-459 Incomplete Cleanup CWE