CVE-2025-66675 Overview
CVE-2025-66675 is a Denial of Service (DoS) vulnerability affecting Apache Struts, a widely-used open-source framework for developing Java web applications. The vulnerability stems from a file leak in multipart request processing that can lead to disk exhaustion on affected servers. When exploited, attackers can send specially crafted multipart requests to consume disk space, ultimately causing service disruption.
This vulnerability is related to CVE-2025-64775, with this CVE specifically addressing the missing affected version 6.7.4 that was not covered in the original advisory.
Critical Impact
Remote attackers can exhaust disk space on servers running vulnerable Apache Struts versions through improper file cleanup during multipart request handling, leading to denial of service conditions.
Affected Products
- Apache Struts versions 2.0.0 through 6.7.4
- Apache Struts versions 7.0.0 through 7.0.3
Discovery Timeline
- December 10, 2025 - CVE-2025-66675 published to NVD
- December 16, 2025 - Last updated in NVD database
Technical Details for CVE-2025-66675
Vulnerability Analysis
The vulnerability resides in Apache Struts' multipart request processing mechanism. When handling file uploads through multipart form data, the framework fails to properly clean up temporary files under certain conditions. This behavior is classified under CWE-459 (Incomplete Cleanup), where temporary resources are not adequately released after use.
The improper cleanup mechanism allows an attacker to repeatedly send multipart requests to a vulnerable endpoint, causing temporary files to accumulate on the server's file system. Over time, this accumulation can exhaust available disk space, rendering the application—and potentially the entire server—unavailable.
The network-based attack vector allows unauthenticated remote attackers to exploit this vulnerability without requiring any user interaction. The low complexity of the attack makes it particularly dangerous for internet-facing Apache Struts applications.
Root Cause
The root cause of CVE-2025-66675 is CWE-459: Incomplete Cleanup. The Apache Struts multipart file upload handler does not properly delete temporary files after processing multipart requests. This can occur when:
- An exception is thrown during request processing before cleanup routines execute
- The cleanup routine itself fails to execute properly
- File handles remain open, preventing deletion
The incomplete cleanup allows temporary upload files to persist on disk indefinitely, accumulating with each subsequent request.
Attack Vector
The vulnerability is exploited via the network attack vector, requiring no authentication or user interaction. An attacker can craft HTTP requests with multipart form data targeting any Struts action that processes file uploads.
The attack methodology involves sending a high volume of multipart requests to the target application. Each request leaves behind temporary files that are never cleaned up, gradually consuming disk space until the system becomes unresponsive or fails.
The attack is particularly effective because:
- No valid file upload completion is required
- Malformed or incomplete multipart data can still trigger file creation
- The attack can be automated and sustained over time
Detection Methods for CVE-2025-66675
Indicators of Compromise
- Unusual accumulation of temporary files in the server's temp directory (typically /tmp or the configured Struts upload directory)
- Rapid disk space consumption on application servers without corresponding legitimate activity
- Elevated rate of multipart POST requests from single or distributed sources
- Application errors or timeouts related to disk I/O operations
Detection Strategies
- Monitor disk space utilization on Apache Struts application servers with alerts at 70%, 85%, and 95% thresholds
- Implement web application firewall (WAF) rules to detect and rate-limit multipart requests from suspicious sources
- Review application and web server logs for abnormal patterns of multipart form submissions
- Deploy file system monitoring to track temporary file creation and deletion rates in upload directories
Monitoring Recommendations
- Configure centralized logging for all Apache Struts application instances to correlate potential attack patterns
- Set up automated alerting for rapid increases in temporary file count or disk usage
- Implement request rate limiting for endpoints accepting multipart form data
- Monitor server performance metrics including disk I/O latency and available storage
How to Mitigate CVE-2025-66675
Immediate Actions Required
- Upgrade Apache Struts to version 6.8.0 or 7.1.1 immediately, which contain the official fix for this vulnerability
- Review and clean up any accumulated temporary files in Struts upload directories
- Implement request rate limiting on file upload endpoints as a temporary protective measure
- Monitor disk space utilization closely until patches are applied
Patch Information
Apache has released patched versions that address this file leak vulnerability. Users should upgrade to:
- Version 6.8.0 for users on the 6.x branch (fixes versions 2.0.0 through 6.7.4)
- Version 7.1.1 for users on the 7.x branch (fixes versions 7.0.0 through 7.0.3)
Detailed patch information and upgrade instructions are available in the Apache Wiki S2-068 Security Bulletin.
Workarounds
- Implement external disk space monitoring with automated alerts and cleanup scripts for temporary directories
- Configure web server or reverse proxy rate limiting for multipart POST requests
- Set strict limits on temporary file directory size using operating system quotas
- Consider temporarily disabling file upload functionality if not critical to business operations
- Deploy a WAF rule to limit the frequency of multipart requests per source IP
# Example: Monitor and clean old temp files (Linux)
# Find and remove Struts temp files older than 1 hour
find /tmp -name "upload_*.tmp" -type f -mmin +60 -delete
# Set up disk quota monitoring
df -h /tmp | awk 'NR==2 {if ($5+0 > 80) print "WARNING: Temp disk usage at "$5}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
