Ddos 
The Apache Software Foundation has issued an important advisory regarding a significant Denial of Service (DoS) vulnerability affecting nearly all versions of its popular Struts framework. The flaw, identified as CVE-2025-64775 (S2-068), allows attackers to slowly choke a server by exploiting how it handles file uploads, eventually filling the disk and crashing the application.
The vulnerability resides in the core mechanism Apache Struts uses to handle “multipart request processing”—the standard method used by web applications to handle file uploads and complex data forms.
Under normal circumstances, when a server processes a multipart request, it creates temporary files to handle the incoming data stream. Once the process is complete, these temporary files should be deleted to free up space. However, CVE-2025-64775 creates a “file leak” scenario.
Due to a flaw in the logic, the framework fails to clean up these temporary files properly. An attacker can exploit this by sending a flood of specific multipart requests. While each request might only leave behind a small temporary file, the cumulative effect is devastating.
Over time, these files accumulate until they consume all available disk space. Once the disk is full, the operating system and the application can no longer write logs, save sessions, or process new data, leading to a complete system paralysis (Denial of Service).
The affected versions include:
- Apache Struts 2: Versions 2.0.0 through 6.7.0
- Apache Struts 7: Versions 7.0.0 through 7.0.3
The severity is rated as Important. While it does not allow for Remote Code Execution (RCE)—the usual nightmare scenario for Struts—a DoS attack can be just as damaging for business continuity, knocking critical services offline with relatively low effort from an attacker.
System administrators and developers are urged to upgrade their dependencies immediately to close this loop. The Apache Struts team has released patched versions that correctly handle the lifecycle of temporary files during multipart requests.
- Users on the 6.x branch should upgrade to Struts 6.8.0.
- Users on the 7.x branch should upgrade to Struts 7.1.1.
Failure to patch leaves servers vulnerable to a trivial but highly effective resource exhaustion attack.
Related Posts:
- Apache Tomcat Patches 4 Flaws: DoS, Privilege Bypass, & Installer Risks Addressed
- CVE-2023-50164: Apache Struts Remote Code Execution Vulnerability
- Patch Now! PoC for Apache Struts 2 RCE (CVE-2023-50164) Flaw Released
- Hackers used Apache Struts2 vulnerabilities for mining, but the target is Windows system
- Apache Struts (CVE-2023-50164) RCE Vulnerability Affects some Cisco Products
Donate