Request a Demo
Rewterz
Google Fixes Actively Exploited Android 0-Day Vulnerabilities
December 2, 2025
Rewterz
Mirai Botnet aka Katana – Active IOCs
December 2, 2025

Apache Struts Bug Enables Disk Exhaustion Attacks

Severity

High

Analysis Summary

A critical vulnerability has been discovered in Apache Struts, tracked as CVE-2025-64775, which allows attackers to trigger disk exhaustion attacks, potentially rendering affected systems unusable. The flaw arises from a file leak in the multipart request processing mechanism, which can be exploited to accumulate files uncontrollably on the server. This vulnerability requires no authentication, making it particularly dangerous for internet-facing applications, and can result in complete denial-of-service (DoS), causing application crashes, operational downtime, and potential data loss.

The vulnerability affects a wide range of Struts versions, including EOL versions 2.0.0-2.3.37 and 2.5.0-2.5.33, as well as currently supported versions 6.0.0-6.7.0 and 7.0.0-7.0.3. Organizations running unsupported versions face increased risk, as they no longer receive security updates, leaving them exposed to additional vulnerabilities. Apache Struts’ multipart request handling is central to this issue, allowing attackers to exploit file-handling operations and exhaust disk space, which disrupts services and renders applications unresponsive.

To mitigate the risk, the Apache Software Foundation strongly recommends upgrading to Struts 6.8.0 or newer within the 6.x branch, or Struts 7.1.1 or later. These patched versions resolve the file-leak issue while maintaining backward compatibility, ensuring existing applications continue to function without code changes. Security teams should prioritize patching internet-facing applications and conduct thorough testing in development environments before deploying updates to production systems.

For organizations unable to immediately upgrade, temporary mitigations include monitoring disk usage for anomalies and restricting multipart request sizes to prevent uncontrolled file accumulation. Given the vulnerability’s Important security rating and its potential for service disruption, treating this patch as a high-priority maintenance task is critical to maintaining business continuity and protecting sensitive systems from exploitation.

Impact

  • Denial of Service
  • Gain Access

Indicators of Compromise

CVE

  • CVE-2025-64775

Affected Vendors

Apache

Remediation

  • Upgrade to Struts 6.8.0 or later (6.x branch), and Struts 7.1.1 or later (7.x branch)
  • If running EOL versions (2.0.0-2.3.37 or 2.5.0-2.5.33), immediately migrate to supported versions.
  • Deploy updates in development/test environments to ensure compatibility with existing applications.
  • Implement disk space monitoring to detect unusual file accumulation early.
  • Temporarily limit the size of multipart requests to prevent uncontrolled file growth.
  • Patch systems that are publicly accessible first, as they are most at risk.
  • Treat this patch as high-priority and plan deployment in the next maintenance window.