By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-48976

Denial of Service
Affects
Apache Commons Fileupload
in
Struts
No items found.
Versions
>=1.0 <1.6.0, >=2.0.0-M1 <2.0.0-M
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A Denial of Service (DoS) vulnerability (CVE-2025-48976) has been identified in Apache Commons Fileupload, which allows attackers to exhaust server memory by uploading specially crafted uploads, potentially rendering the application unresponsive. Apache Commons Fileupload is used for fileuploads in Apache Struts.

Per OWASP:The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.

This issue affects multiple versions of Apache Struts 1 that rely on commons-fileupload.

Details

Module Info

Vulnerability Info

A Denial of Service (DoS) vulnerability (CVE-2025-48976) has been identified in Apache Commons Fileupload, which allows attackers to exhaust server memory by crafting multipart uploads with a high number of parts containing excessively large headers. This issue is addressed in versions 1.6 and 2.0.0-M5 with the introduction of the PartHeaderSizeMax configuration parameter and by limiting the number of parts.

Mitigation

Struts 1 is no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to supported versions of Struts.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • TERASOLUNA Framework Security Team of NTT DATA Group Corporation

Pink arrow
Pink arrow
CVE-2014-0094
CVE-2016-3081
CVE-2017-5638
CVE-2018-11776
CVE-2012-1007
CVE-2015-0899
CVE-2016-1181
CVE-2016-1182
CVE-2014-0114
CVE-2024-53677
CVE-2006-1546
CVE-2006-1547
CVE-2006-1548
CVE-2008-2025
CVE-2023-34396
CVE-2023-49735
CVE-2005-3745
CVE-2025-48976
CVE-2025-48734
CVE-2025-54656
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-48976
PROJECT Affected
Apache Commons Fileupload
Versions Affected
>=1.0 <1.6.0, >=2.0.0-M1 <2.0.0-M
Published date
August 4, 2025
≈ Fix date
July 17, 2025
Fixed in
NES for Apache Struts
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
NES for Apache Struts
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.