Apache Struts 2 Denial-of-Service Vulnerability via File Leak in Multipart Request Processing
A high-severity vulnerability, tracked as CVE-2025-66675, has been identified in Apache Struts 2, affecting versions 2.0.0 through 6.7.4 and 7.0.0 through 7.0.3. The flaw arises from a file leak in the multipart request processing component, which can lead to disk exhaustion and result in a denial-of-service (DoS) condition. Attackers can exploit this vulnerability remotely, potentially causing affected servers to crash by exhausting disk resources. The issue has been addressed in versions 6.8.0 and 7.1.1, and users are strongly advised to upgrade to these fixed versions to mitigate the risk.
The vulnerability is related to improper handling of file uploads in multipart requests, which can allow attackers to trigger uncontrolled file creation or retention, leading to resource exhaustion. Security advisories recommend prompt patching, as the flaw is remotely exploitable and could be leveraged in automated attacks targeting exposed Struts 2 instances. No evidence of exploitation in the wild has been reported as of the latest updates, but the critical nature of the flaw warrants immediate attention from organizations using vulnerable versions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Follow-up coverage highlights patching and mitigations for Struts users
Subsequent reporting emphasized that the flaw could crash servers through disk exhaustion, especially where file upload functionality is enabled. Coverage also highlighted backward-compatible patched releases and suggested mitigations such as limiting temporary storage or disabling file uploads if unnecessary.
Apache discloses CVE-2025-66675 and fixes affected version ranges
Apache Struts disclosed CVE-2025-66675 as a high-severity unauthenticated remote DoS issue affecting versions 2.0.0 through 6.7.4 and 7.0.0 through 7.0.3. Users were advised to upgrade to versions 6.8.0 or 7.1.1, and the disclosure noted the issue was related to CVE-2025-64775 because an affected version had previously been omitted.
Apache Struts DoS file-leak flaw is reported by Nicolas Fournier
A denial-of-service vulnerability in Apache Struts multipart request processing was reported by security researcher Nicolas Fournier. The flaw causes temporary files to leak, enabling disk exhaustion and potential server crashes on systems with file uploads enabled.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Apache Struts 2 DoS Vulnerability Let Attackers Crash Server
cybersecuritynews.com
Open sourceApache Struts 2 DoS Flaw (CVE-2025-66675) Risks Server Crash via File Leak in Multipart Request Processing
securityonline.info
Open sourceCVE-2025-66675 - Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed
cvefeed.io
Open sourceCVE-2025-66675: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed
seclists.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical XXE Vulnerability in Apache Struts 2 (CVE-2025-68493)
A critical XML External Entity (XXE) injection vulnerability, tracked as CVE-2025-68493, has been identified in the XWork component of Apache Struts 2. This flaw allows attackers to exploit improper XML input validation, potentially leading to sensitive data disclosure, server-side request forgery (SSRF), and denial-of-service (DoS) attacks. The vulnerability affects a wide range of Struts 2 versions, including 2.0.0–2.3.37, 2.5.0–2.5.33, and 6.0.0–6.1.0, exposing millions of applications to risk. Security researchers at ZAST.AI reported the issue, and Apache has rated the vulnerability as 'Important' due to its significant impact on data confidentiality and system availability. Organizations using affected versions are strongly advised to upgrade to Struts 6.1.1, which addresses the vulnerability. The issue is remotely exploitable and has been assigned a CVSS 3.1 score of 8.1 (High). Immediate patching is recommended to prevent exploitation, as attackers can leverage this flaw to extract configuration files, database credentials, and other sensitive information from vulnerable servers. The vulnerability has been confirmed by both independent security researchers and the Apache security team.
Mar 21, 2026
Multiple Recent Vulnerabilities in Apache Tomcat
Two significant vulnerabilities have been identified in Apache Tomcat, each with distinct attack vectors and impacts. CVE-2025-61795 is an improper resource shutdown or release vulnerability that can lead to a denial-of-service (DoS) condition if temporary files from multipart uploads are not cleaned up promptly, potentially exhausting disk space and exposing sensitive data. This issue affects Tomcat versions 11.0.0-M1 through 11.0.11, 10.1.0-M1 through 10.1.46, 9.0.0.M1 through 9.0.109, and several end-of-life versions, with patches available in 11.0.12, 10.1.47, and 9.0.110 and later. CVE-2025-55752 is a relative path traversal vulnerability introduced by a regression in the fix for a previous bug, allowing attackers to bypass security constraints and potentially upload malicious files if specific, non-default configurations are present. This vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108, and certain EOL versions, with fixes in 11.0.11, 10.1.45, and 9.0.109 and later. Both vulnerabilities require prompt attention from administrators, especially those running affected Tomcat versions. The DoS vulnerability (CVE-2025-61795) can be exploited by attackers to exhaust server resources, while the path traversal flaw (CVE-2025-55752) could lead to remote code execution under specific conditions. Organizations are advised to upgrade to the latest patched versions to mitigate these risks and review their Tomcat configurations to ensure that non-default features such as HTTP PUT requests and URL rewriting are not unnecessarily enabled.
Mar 21, 2026
Apache HTTP Server mod_http2 Double-Free Exposes Pre-Auth RCE and DoS Risk
Apache HTTP Server disclosed **CVE-2026-23918**, a high-severity double-free flaw in `mod_http2` affecting version `2.4.66`, with researchers showing it can be triggered remotely over a single TCP connection by sending crafted HTTP/2 frames on the same stream. The bug stems from the same `h2_stream` object being queued twice for cleanup, causing a second `apr_pool_destroy` on freed memory; on multi-threaded MPM deployments such as **event** and **worker**, this can reliably crash worker processes without authentication, while **prefork** is not affected. Public reporting said denial-of-service is the most practical near-term outcome, but under specific conditions the memory corruption can be developed into pre-authenticated remote code execution. Apache fixed the issue in **version 2.4.67** by preventing duplicate cleanup entries and urged administrators to upgrade immediately. Guidance published alongside the disclosure recommended temporarily disabling **HTTP/2** where patching is delayed, using rate limiting or a WAF to reduce opportunistic abuse, and reviewing exposure from related modules after the same release also patched flaws in `mod_rewrite`, `mod_proxy_ajp`, `mod_md`, and `mod_dav_lock`. At the time of publication, sources said there was **no confirmed in-the-wild exploitation**, but warned that Apache HTTP Server's broad deployment and common `mod_http2` enablement make internet-facing systems attractive targets.
Jun 10, 2026