Denial of Service Vulnerability in Apache Struts by Apache
CVE-2025-64775

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Struts
Vendor: CVE Published:; 1 December 2025

Badges

📈 Score: 439👾 Exploit Exists📰 News Worthy

What is CVE-2025-64775?

CVE-2025-64775 is a denial of service vulnerability found in Apache Struts, a widely used open-source framework for building Java web applications. This vulnerability manifests during the processing of multipart requests, specifically leading to a file leak that can cause significant disk exhaustion. Organizations leveraging Apache Struts in their web applications may face severe operational challenges due to this vulnerability, as it enables attackers to overload server resources, ultimately disrupting service availability and user access. Affected versions include Apache Struts from 2.0.0 through 6.7.0 and from 7.0.0 through 7.0.3. To mitigate the risk posed by CVE-2025-64775, users are strongly advised to upgrade to versions 6.8.0 or 7.1.1, which contain the necessary fixes.

Potential impact of CVE-2025-64775

Service Disruption: The primary impact of this vulnerability is the potential for service disruption. By exploiting the denial of service condition, attackers can render applications inoperable, leading to downtime and the inability for legitimate users to access the services.
Resource Exhaustion: The vulnerability causes disk exhaustion by leaking files during multipart request processing. This resource drain can severely hamper server performance, leading to slow response times, increased latency, and the need for emergency interventions to restore system functionality.
Reputational Damage: Organizations affected by this vulnerability may suffer reputational harm due to prolonged outages or degraded performance. This can erode customer trust and impact business relationships, especially for those relying on Apache Struts for critical application functionality.

Affected Version(s)

Apache Struts 2.0.0 <= 6.7.0

Apache Struts 7.0.0 <= 7.0.3

News Articles

CybersecurityNews

CVE-2025-64775

Apache Struts Vulnerability Let Attackers Trigger Disk Exhaustion Attacks

Researchers found a flaw in Apache Struts that could allow attackers to trigger disk exhaustion attacks, rendering affected systems unusable.

6 days ago

Cyber Press

CVE-2025-64775

Apache Struts Vulnerability Lets Attackers Trigger Disk Exhaustion Attacks

The flaw, identified as CVE-2025-64775, enables attackers to perform disk exhaustion denial-of-service (DoS) attacks that can render affected systems completely unavailable.

6 days ago

References

https://cwiki.apache.org/confluence/display/WW/S2-068

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Dec 2, 2025
📰
First article discovered by Cyber Press
Dec 2, 2025
Vulnerability published
Dec 1, 2025
Vulnerability Reserved
Nov 11, 2025

Credit

Nicolas Fournier

JSON