CVE-2025-64775: Apache Struts DOS Vulnerability

CVE-2025-64775 Overview

CVE-2025-64775 is a high-severity Denial of Service (DoS) vulnerability affecting Apache Struts, a popular open-source MVC framework for creating Java web applications. The vulnerability stems from a file leak in the multipart request processing mechanism, which can lead to disk exhaustion on affected systems.

When processing multipart HTTP requests, Apache Struts fails to properly clean up temporary files under certain conditions. This incomplete cleanup (CWE-459) allows attackers to send specially crafted requests that accumulate temporary files on the server's disk, eventually exhausting available storage and causing service disruption.

Critical Impact

Remote attackers can exploit this vulnerability without authentication to exhaust disk space on vulnerable Apache Struts servers, causing complete denial of service to web applications.

Affected Products

• Apache Struts versions 2.0.0 through 6.7.0
• Apache Struts versions 7.0.0 through 7.0.3
• Any Java web application built on affected Apache Struts versions

Discovery Timeline

• 2025-12-01 - CVE-2025-64775 published to NVD
• 2025-12-03 - Last updated in NVD database

Technical Details for CVE-2025-64775

Vulnerability Analysis

The vulnerability resides in Apache Struts' multipart request handling functionality. Apache Struts uses the Jakarta Multipart parser or similar components to handle file uploads and multipart form data. During the processing of these requests, temporary files are created on the server's filesystem to store uploaded content before final processing.

The CVSS 3.1 score of 7.5 (High) reflects the severity of this vulnerability, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicating:

• Attack Vector (AV:N): Network-accessible, exploitable remotely
• Attack Complexity (AC:L): Low complexity to execute
• Privileges Required (PR:N): No authentication needed
• User Interaction (UI:N): No user interaction required
• Availability Impact (A:H): High impact on system availability

The EPSS score of 0.122% with a percentile of 32.121 suggests that while active exploitation has not been widely observed, the vulnerability presents a realistic attack surface that organizations should prioritize for remediation.

Root Cause

The root cause is classified under CWE-459 (Incomplete Cleanup). The multipart request parser creates temporary files during request processing but fails to properly delete these files in all code paths. Specifically, when certain error conditions occur or when requests are malformed in particular ways, the cleanup routines are bypassed, leaving orphaned files on the disk.

This behavior compounds over time—each malicious request leaves behind file artifacts that accumulate until disk space is exhausted. The issue affects the resource management lifecycle within the multipart parsing component.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

1. Identifying a target Apache Struts application with an endpoint that accepts multipart requests
2. Sending repeated multipart HTTP requests crafted to trigger the file leak condition
3. Each request creates temporary files that are not cleaned up
4. Continuing the attack until disk space is exhausted
5. Once disk space is depleted, the application becomes unavailable, and other services on the same server may also be affected

The vulnerability is particularly dangerous because multipart endpoints are common in web applications for file uploads, form submissions, and API interactions. The attack requires only network access to the vulnerable endpoint and can be automated for sustained impact.

Detection Methods for CVE-2025-64775

Indicators of Compromise

• Rapid growth in disk usage on servers running Apache Struts applications
• Accumulation of temporary files in Java temp directories (typically /tmp or the configured temp directory)
• Unusual volume of multipart HTTP requests in web server access logs
• Application errors related to disk space exhaustion or inability to create temporary files
• Server performance degradation followed by service unavailability

Detection Strategies

Organizations should implement monitoring for both the vulnerability exploitation attempts and the effects of successful attacks:

Log Analysis: Monitor web server access logs for patterns of repeated multipart requests from single sources or distributed sources targeting the same endpoints. Look for unusually high request rates to file upload or form submission endpoints.

File System Monitoring: Track the creation of temporary files in Java application temp directories. Alert on unusual file accumulation patterns or rapid temp directory growth.

Disk Space Alerts: Configure disk space monitoring with appropriate thresholds to detect gradual disk exhaustion before it causes service outages.

Application Performance Monitoring: Watch for increases in request processing time or error rates that may indicate resource pressure.

Monitoring Recommendations

SentinelOne Singularity provides comprehensive protection against exploitation attempts through behavioral analysis and real-time threat detection. The platform can identify anomalous file system activity patterns consistent with disk exhaustion attacks and alert security teams before service disruption occurs.

Deploy file integrity monitoring on critical application directories and configure automated responses for disk space threshold violations. Consider implementing rate limiting on multipart endpoints at the web application firewall (WAF) level to reduce the effectiveness of sustained attacks.

How to Mitigate CVE-2025-64775

Immediate Actions Required

• Upgrade Apache Struts to version 6.8.0 or 7.1.1 immediately, as these versions contain the fix
• Implement rate limiting on multipart request endpoints to reduce attack surface
• Configure disk space alerts with aggressive thresholds on affected servers
• Monitor temp directories for unusual file accumulation and implement automated cleanup

Patch Information

Apache has released patched versions that address this vulnerability:

• For Struts 6.x users: Upgrade to version 6.8.0 or later
• For Struts 7.x users: Upgrade to version 7.1.1 or later

The official vendor advisory is available at the Apache Struts Security Bulletins page (S2-068): https://cwiki.apache.org/confluence/display/WW/S2-068

Additional details can be found in the oss-security mailing list announcement: http://www.openwall.com/lists/oss-security/2025/12/01/2

Organizations should prioritize this upgrade, particularly for internet-facing applications that accept file uploads or multipart form submissions.

Workarounds

If immediate patching is not possible, organizations can implement temporary mitigations:

Configure automated cleanup of temporary files in the Java temp directory used by the application. This can be achieved through cron jobs or scheduled tasks that remove old temporary files:

# Example cron job to clean temp files older than 1 hour
# Add to crontab: */15 * * * * /path/to/cleanup-script.sh

# Find and remove Struts temp files older than 60 minutes
find /tmp -name "upload_*.tmp" -mmin +60 -delete
find /tmp -name "struts-*" -mmin +60 -delete

Additionally, consider implementing request rate limiting at the reverse proxy or WAF level to limit the rate of multipart requests from individual IP addresses. Increasing disk capacity or configuring disk quotas for the application's temp directory can also extend the time window before exhaustion occurs, providing more opportunity for detection and response.