A new denial-of-service vulnerability in Apache Struts exposes web applications to disk exhaustion attacks, in which hackers flood servers with temporary files until storage runs out.
Tracked as CVE-2025-64775, the flaw affects multiple versions of the popular Java web framework. It carries an “Important” severity rating from Apache.
Discovered by researcher Nicolas Fournier and detailed in an advisory by Lukasz Lenart on November 11, 2025, it forces users to upgrade immediately, with no workarounds.
Apache Struts powers countless enterprise applications handling file uploads via multipart requests, a standard HTTP method for transferring files alongside form data.
The core issue lies in the framework’s multipart request processor, which creates temporary files on disk to safely manage uploads.
Usually, these files get deleted after processing, but a subtle file leak prevents cleanup in specific scenarios.
Attackers exploit this by sending repeated, specially crafted multipart requests often with minimal or empty payloads that trigger file creation without proper deletion.
Under the hood, Struts uses Java’s MultipartRequest handling, relying on temporary file storage in the system’s default temp directory, typically /tmp on Unix-like servers or %TEMP% on Windows.
Each malicious request spawns files via the FileItem interface from Apache Commons FileUpload, but a race condition or incomplete reference release in Struts’ MultiPartRequestWrapper leaves them orphaned.
Over minutes or hours, depending on request volume, disk usage spikes as files accumulate gigabytes unchecked.
Once storage reaches 100%, the server halts: new logs fail to write, databases reject transactions, and applications crash with IOExceptions such as “No space left on device.”
This DoS disrupts services without needing authentication or complex payloads, making it ideal for low-skill attackers targeting public-facing Struts apps.
Evidence from security scans shows rapid exploitation potential, with tools like Burp Suite or custom scripts automating the barrage.
The vulnerability hits Struts 2.0.0 through 2.3.37 (end-of-life), 2.5.0 through 2.5.33 (also EOL), 6.0.0 through 6.7.0, and 7.0.0 through 7.0.3.
EOL branches amplify risks, as they receive no patches. Apache recommends upgrading to Struts 6.8.0 (latest 6.x) or at least 7.1.1, where fixes ensure FileItem streams close reliably via enhanced dispose() calls.
In the interim, teams can monitor disk usage with tools like df -h or Prometheus, set upload limits with struts.multipart.maxSize, and firewall suspicious POST floods.
Enterprises scanning with Nessus or Qualys should prioritize Struts assets, as unpatched systems face downtime in production. With the advisory fresh, swift action prevents real-world outages.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…