A new denial-of-service vulnerability in Apache Struts exposes web applications to disk exhaustion attacks, in which hackers flood servers with temporary files until storage runs out.
Tracked as CVE-2025-64775, the flaw affects multiple versions of the popular Java web framework. It carries an “Important” severity rating from Apache.
Discovered by researcher Nicolas Fournier and detailed in an advisory by Lukasz Lenart on November 11, 2025, it forces users to upgrade immediately, with no workarounds.
Apache Struts powers countless enterprise applications handling file uploads via multipart requests, a standard HTTP method for transferring files alongside form data.
The core issue lies in the framework’s multipart request processor, which creates temporary files on disk to safely manage uploads.
Usually, these files get deleted after processing, but a subtle file leak prevents cleanup in specific scenarios.
Attackers exploit this by sending repeated, specially crafted multipart requests often with minimal or empty payloads that trigger file creation without proper deletion.
Technical Breakdown Of The Exploit
Under the hood, Struts uses Java’s MultipartRequest handling, relying on temporary file storage in the system’s default temp directory, typically /tmp on Unix-like servers or %TEMP% on Windows.
Each malicious request spawns files via the FileItem interface from Apache Commons FileUpload, but a race condition or incomplete reference release in Struts’ MultiPartRequestWrapper leaves them orphaned.
Over minutes or hours, depending on request volume, disk usage spikes as files accumulate gigabytes unchecked.
Once storage reaches 100%, the server halts: new logs fail to write, databases reject transactions, and applications crash with IOExceptions such as “No space left on device.”
This DoS disrupts services without needing authentication or complex payloads, making it ideal for low-skill attackers targeting public-facing Struts apps.
Evidence from security scans shows rapid exploitation potential, with tools like Burp Suite or custom scripts automating the barrage.
Affected Versions and Urgent Fixes
The vulnerability hits Struts 2.0.0 through 2.3.37 (end-of-life), 2.5.0 through 2.5.33 (also EOL), 6.0.0 through 6.7.0, and 7.0.0 through 7.0.3.
EOL branches amplify risks, as they receive no patches. Apache recommends upgrading to Struts 6.8.0 (latest 6.x) or at least 7.1.1, where fixes ensure FileItem streams close reliably via enhanced dispose() calls.
In the interim, teams can monitor disk usage with tools like df -h or Prometheus, set upload limits with struts.multipart.maxSize, and firewall suspicious POST floods.
Enterprises scanning with Nessus or Qualys should prioritize Struts assets, as unpatched systems face downtime in production. With the advisory fresh, swift action prevents real-world outages.
