Denial of Service Flaw in Apache Struts Affecting Multiple Versions
CVE-2025-66675

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Struts
Vendor: CVE Published:; 10 December 2025

What is CVE-2025-66675?

A Denial of Service vulnerability has been identified in Apache Struts, where improper handling of multipart request processing can lead to disk exhaustion. This vulnerability affects multiple versions of Apache Struts, specifically from versions 2.0.0 up to 6.7.4 and from 7.0.0 to 7.0.3. It is crucial for users to upgrade to versions 6.8.0 or 7.1.1 to mitigate this issue effectively. For additional context, there is a related CVE that highlights an oversight in acknowledging version 6.7.4.

Affected Version(s)

Apache Struts 2.0.0 <= 6.7.*

Apache Struts 7.0.0 <= 7.0.*

References

https://cwiki.apache.org/confluence/display/WW/S2-068

vendor-advisory

https://cve.org/CVERecord?id=CVE-2025-64775

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2025
Vulnerability Reserved
Dec 7, 2025

Credit

Nicolas Fournier

JSON