Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Apache Struts multipart request processing file leak DoS

IdentifiersCVE-2025-64775CWE-772

CVE-2025-64775 is a denial-of-service vulnerability in Apache Struts caused by a file leak during multipart request processing. When Struts handles multipart/form-data requests for file uploads, temporary files created as part of request parsing are not properly cleaned up under the vulnerable code path, allowing them to accumulate on disk. Repeated exploitation can exhaust available storage and destabilize or crash the application server. The issue is documented by the Apache Struts project as S2-068 and was reported by Nicolas Fournier. Affected versions are Apache Struts 2.0.0 through 6.7.0 and 7.0.0 through 7.0.3.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote attacker to consume disk space on the target system until temporary storage or the underlying filesystem is exhausted. This can cause denial of service for the Struts application and potentially the broader host, including failed uploads, application errors, inability to write logs or temporary files, degraded performance, and possible server instability or crashes.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, constrain the temporary directory used for uploaded files by placing it on a dedicated volume or filesystem with strict size limits so exhaustion does not impact the rest of the host. Monitor disk usage and alert on abnormal growth in multipart upload temp storage. If file upload functionality is not required, disable file upload support in Struts. These are compensating controls only and do not remove the underlying flaw.

Remediation

Patch, then assume compromise.

Upgrade Apache Struts to a fixed release. The provided fixes are Apache Struts 6.8.0 and 7.1.1 or later. The content indicates these versions address the file leak and that patches are backward compatible. Systems running end-of-life vulnerable branches should migrate to a supported fixed version rather than remain on unsupported releases.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Apache Software FoundationStrutsapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
cyber security newsNews
Dec 12, 2025
Apache Struts 2 DoS Vulnerability Let Attackers Crash Server

A critical denial-of-service vulnerability in Apache Struts 2's file upload functionality allows attackers to exhaust disk space via a file leak in multipart request processing, leading to server crashes and service disruption.

Read more
the hacker newsNews
Dec 8, 2025
⚡ Weekly Recap: USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More

A vulnerability in Apache Struts. Details not specified in the content.

Read more
security online infoNews
Dec 2, 2025
CVE-2025-64775: Apache Struts “File Leak” Vulnerability Threatens Disk Exhaustion

A vulnerability in Apache Struts, referred to as the 'File Leak' vulnerability, which can lead to disk exhaustion.

Read more
atlassian confluenceNews
Mar 18, 2026
Security Bulletin - January 20 2026 | Atlassian Support | Atlassian Documentation

A denial-of-service vulnerability in Apache Struts 2 core (org.apache.struts:struts2-core) dependency affecting Atlassian Crowd Data Center/Server.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity12

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-64775
NVD
nvd.nist.gov/vuln/detail/CVE-2025-64775
MITRE CWE · CWE-772
cwe.mitre.org
Vendor Advisory
cwiki.apache.org/confluence/display/WW/S2-068
Third Party Advisory
openwall.com/lists/oss-security/2025/12/01/2