Denial of Service Flaw in Apache Struts Affecting Multiple Versions
CVE-2025-66675

8.2HIGH

Key Information:

Vendor: Apache
Status: Apache Struts
Vendor: CVE Published:; 10 December 2025

What is CVE-2025-66675?

A Denial of Service vulnerability has been identified in Apache Struts, where improper handling of multipart request processing can lead to disk exhaustion. This vulnerability affects multiple versions of Apache Struts, specifically from versions 2.0.0 up to 6.7.4 and from 7.0.0 to 7.0.3. It is crucial for users to upgrade to versions 6.8.0 or 7.1.1 to mitigate this issue effectively. For additional context, there is a related CVE that highlights an oversight in acknowledging version 6.7.4.

Affected Version(s)

Apache Struts 2.0.0 <= 6.7.*

Apache Struts 7.0.0 <= 7.0.*

References

https://cwiki.apache.org/confluence/display/WW/S2-068

vendor-advisory

https://cve.org/CVERecord?id=CVE-2025-64775

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 10, 2025
Vulnerability Reserved
Dec 7, 2025

Credit

Nicolas Fournier

JSON