By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-64775

Denial of Service
Affects
Apache Struts
in
Struts
No items found.
Versions
>=2.0.0 <=2.3.37, >=2.5.0 <=2.5.33, >=6.0.0 <6.8.0, >=7.0.0 <7.1.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A Denial of Service vulnerability (CVE-2025-64775) has been identified in Apache Struts. This issue arises from a file leak during multipart request processing, which can lead to disk exhaustion and cause service disruption.

Per OWASP, a Denial of Service (DoS) attack aims to make a system, application, or service unavailable for its intended use. DoS conditions can be triggered through overwhelming request volumes, exploitation of programming flaws, or improper handling of system resources, ultimately preventing legitimate users from accessing the service. In some cases, attackers may even inject or execute arbitrary code while carrying out a DoS attack, escalating the impact. These attacks can cause severe degradation in service quality, including long response delays, excessive failures, and complete service outages, resulting in a direct and significant impact on availability.

This issue affects multiple versions of Apache Struts.

Details

Module Info

Vulnerability Info

CVE-2025-64775 is a Denial of Service vulnerability in Apache Struts caused by a file leak during multipart request processing. When triggered, the flaw can lead to uncontrolled disk usage, eventually exhausting system resources and disrupting service availability.

Steps To Reproduce

This vulnerability can be reproduced by sending multipart requests where the file field includes a blank filename. In this scenario, the resulting FileItem is not properly tracked for cleanup, leaving temporary files on disk. A malicious attacker can repeatedly send these specially crafted requests, causing an unbounded accumulation of temporary files and eventually exhausting the destination drive.

Proof Of Concept

To reproduce this issue, download the Apache Struts source code and check out a vulnerable version, such as the 2.5.33 branch. Build the example applications, then deploy and run the Struts Showcase application; using Docker with Tomcat 9 is a simple approach. Once the showcase WAR is running, navigate to the application’s “File → Multiple File Upload” page. Create a file whose name consists of a single space character and upload it. After the upload completes, inspect the server’s filesystem. For example, by running docker exec struts2-apps ls /usr/local/tomcat/work/Catalina/localhost/showcase/. You will observe temporary files such as upload_b264d026_d7f9_479b_8929_9100fead694a_00000001.tmp remain on disk, demonstrating the leak and confirming the vulnerability.

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Upgrade to patched Apache Struts 2
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • Nicolas Fournier

Pink arrow
Pink arrow
CVE-2014-0094
CVE-2016-3081
CVE-2017-5638
CVE-2018-11776
CVE-2012-1007
CVE-2015-0899
CVE-2016-1181
CVE-2016-1182
CVE-2014-0114
CVE-2024-53677
CVE-2006-1546
CVE-2006-1547
CVE-2006-1548
CVE-2008-2025
CVE-2023-34396
CVE-2023-49735
CVE-2005-3745
CVE-2025-48976
CVE-2025-48734
CVE-2025-54656
CVE-2025-64775
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-64775
PROJECT Affected
Apache Struts
Versions Affected
>=2.0.0 <=2.3.37, >=2.5.0 <=2.5.33, >=6.0.0 <6.8.0, >=7.0.0 <7.1.1
Published date
December 9, 2025
≈ Fix date
December 5, 2025
Fixed in
NES for Apache Struts
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
NES for Apache Struts
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.