CVE-2023-41835 Overview
CVE-2023-41835 is a vulnerability in Apache Struts that affects the handling of multipart file upload requests. When a multipart request is processed and some of the fields exceed the configured maxStringLength limit, the uploaded files remain in the struts.multipart.saveDir directory even after the request has been denied. This incomplete cleanup behavior can lead to disk space exhaustion and denial of service conditions on affected systems.
Critical Impact
Attackers can exhaust disk space on vulnerable Apache Struts servers by repeatedly sending malformed multipart requests, causing uploaded files to accumulate indefinitely and potentially rendering applications unavailable.
Affected Products
- Apache Struts versions prior to 2.5.32
- Apache Struts versions prior to 6.1.2.2
- Apache Struts versions prior to 6.3.0.1
Discovery Timeline
- 2023-12-05 - CVE CVE-2023-41835 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2023-41835
Vulnerability Analysis
This vulnerability is classified under CWE-459 (Incomplete Cleanup), which describes a condition where a product does not properly clean up and remove temporary or supporting resources after they have been used. In the context of Apache Struts, the multipart request handler fails to delete uploaded files from the temporary storage directory when request validation fails due to field length constraints.
The vulnerability can be exploited remotely without authentication. The attack complexity is low, requiring only the ability to send HTTP multipart requests to the target server. While the vulnerability does not directly compromise confidentiality or integrity, it poses a significant availability risk through resource exhaustion.
Root Cause
The root cause lies in the incomplete error handling logic within the Apache Struts multipart request processing component. When the framework validates incoming multipart requests, it checks whether string fields exceed the maxStringLength configuration parameter. If this limit is exceeded, the request is rejected; however, the cleanup routine that should remove already-uploaded temporary files fails to execute properly, leaving orphaned files in the struts.multipart.saveDir directory.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker can craft malicious multipart HTTP requests containing:
- One or more file upload fields with actual file content
- String fields that exceed the configured maxStringLength limit
When the server processes these requests, it first saves the uploaded files to the temporary directory, then validates the string fields. Upon detecting the length violation, the request is rejected, but the temporary files persist on disk. By repeatedly sending such requests, an attacker can fill the available disk space, causing denial of service.
The exploitation mechanism involves sending HTTP multipart/form-data POST requests with oversized string parameters combined with file attachments. Each rejected request leaves behind orphaned files in the temporary upload directory. Since no authentication is required and the attack is trivially automated, an adversary can rapidly exhaust disk resources on the target system.
Detection Methods for CVE-2023-41835
Indicators of Compromise
- Unusual growth of files in the struts.multipart.saveDir directory
- High volume of HTTP 400/413 error responses for multipart requests
- Disk space alerts on application servers running Apache Struts
- Large numbers of temporary upload files with timestamps correlating to request denial events
Detection Strategies
- Monitor the struts.multipart.saveDir directory for abnormal file accumulation
- Implement log analysis rules to detect patterns of rejected multipart requests followed by disk space consumption
- Configure web application firewall (WAF) rules to rate-limit multipart uploads from individual sources
- Deploy endpoint detection solutions to alert on filesystem anomalies in application directories
Monitoring Recommendations
- Set up alerts for disk usage thresholds on servers running Apache Struts applications
- Implement periodic cleanup scripts for the multipart temporary directory as a defensive measure
- Monitor HTTP access logs for patterns of multipart POST requests with high error rates
- Enable detailed logging for the Struts multipart interceptor to capture rejected request details
How to Mitigate CVE-2023-41835
Immediate Actions Required
- Upgrade Apache Struts to version 2.5.32, 6.1.2.2, or 6.3.0.1 or later immediately
- Review and adjust maxStringLength configuration to align with application requirements
- Implement periodic cleanup of the struts.multipart.saveDir directory until patches are applied
- Consider implementing request rate limiting at the load balancer or WAF level
Patch Information
Apache has released security patches addressing this vulnerability. Users should upgrade to one of the following versions:
- Struts 2.5.x branch: Upgrade to version 2.5.32 or later
- Struts 6.1.x branch: Upgrade to version 6.1.2.2 or later
- Struts 6.3.x branch: Upgrade to version 6.3.0.1 or later
For additional information, refer to the Apache Mailing List Thread and the OpenWall OSS-Security Discussion.
Workarounds
- Implement a scheduled task to periodically purge orphaned files from the struts.multipart.saveDir directory
- Configure disk quotas for the temporary upload directory to limit the impact of exploitation
- Deploy WAF rules to reject multipart requests exceeding reasonable size thresholds
- Monitor and alert on rapid file creation in the temporary upload directory
# Example: Scheduled cleanup script for temporary upload directory
# Add to crontab to run every hour
0 * * * * find /path/to/struts/multipart/saveDir -type f -mmin +60 -delete
# Alternative: Set up disk quota (Linux)
# setquota -u struts_user 1G 2G 0 0 /path/to/upload/partition
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
