Apache Struts 2 DoS Flaw (CVE-2025-66675) Risks Server Crash via File Leak in Multipart Request Processing
Ddos 
A significant denial-of-service (DoS) vulnerability has been discovered in Apache Struts 2, the widely used open-source framework for developing Java web applications. The flaw, identified as CVE-2025-66675, allows for a “file leak” in multipart request processing that can rapidly consume server disk space, potentially crashing affected systems.
The vulnerability was reported by security researcher Nicolas Fournier and has been rated with an “Important” security impact.
The core issue lies in how the framework handles file uploads. When support for file uploads is enabled—a common configuration in web applications—the system fails to properly clean up temporary files generated during multipart request processing.
According to the advisory, this failure results in a “file leak… [that] causes disk exhaustion”. By repeatedly initiating upload requests, an attacker could fill the server’s storage capacity with leftover temporary files, leading to a denial of service where the application or the entire server becomes unresponsive due to lack of disk space.
The vulnerability spans a vast history of Struts releases, including End-of-Life (EOL) versions that are likely still running in legacy environments.
- Struts 2.0.0 through 2.3.37 (EOL)
- Struts 2.5.0 through 2.5.33 (EOL)
- Struts 6.0.0 through 6.7.4
- Struts 7.0.0 through 7.0.3
The maintainers have released patches to address this flaw. Developers and administrators are urged to upgrade to Struts 6.8.0 or Struts 7.1.1 immediately.
For teams unable to upgrade right away, the advisory offers two critical workarounds:
- Isolate the Impact: “Define a temporary folder used to store uploaded files with limited size or on the dedicated volume which won’t affect system files”. This containment strategy ensures that even if the disk fills up, it won’t crash the core operating system.
- Disable the Feature: “Disable file upload support in the framework if not used,” effectively removing the attack vector entirely.
Related Posts:
- CVE-2025-64775: Apache Struts “File Leak” Vulnerability Threatens Disk Exhaustion
- Apache Tomcat Patches 4 Flaws: DoS, Privilege Bypass, & Installer Risks Addressed
- CVE-2023-50164: Apache Struts Remote Code Execution Vulnerability
- Patch Now! PoC for Apache Struts 2 RCE (CVE-2023-50164) Flaw Released
- Apache Struts (CVE-2023-50164) RCE Vulnerability Affects some Cisco Products
Donate