A critical vulnerability has been discovered in Apache Struts, tracked as CVE-2025-64775, which allows attackers to trigger disk exhaustion attacks, potentially rendering affected systems unusable. The flaw arises from a file leak in the multipart request processing mechanism, which can be exploited to accumulate files uncontrollably on the server. This vulnerability requires no authentication, making it particularly dangerous for internet-facing applications, and can result in complete denial-of-service (DoS), causing application crashes, operational downtime, and potential data loss.

The vulnerability affects a wide range of Struts versions, including EOL versions 2.0.0-2.3.37 and 2.5.0-2.5.33, as well as currently supported versions 6.0.0-6.7.0 and 7.0.0-7.0.3. Organizations running unsupported versions face increased risk, as they no longer receive security updates, leaving them exposed to additional vulnerabilities. Apache Struts’ multipart request handling is central to this issue, allowing attackers to exploit file-handling operations and exhaust disk space, which disrupts services and renders applications unresponsive.

To mitigate the risk, the Apache Software Foundation strongly recommends upgrading to Struts 6.8.0 or newer within the 6.x branch, or Struts 7.1.1 or later. These patched versions resolve the file-leak issue while maintaining backward compatibility, ensuring existing applications continue to function without code changes. Security teams should prioritize patching internet-facing applications and conduct thorough testing in development environments before deploying updates to production systems.

For organizations unable to immediately upgrade, temporary mitigations include monitoring disk usage for anomalies and restricting multipart request sizes to prevent uncontrolled file accumulation. Given the vulnerability’s Important security rating and its potential for service disruption, treating this patch as a high-priority maintenance task is critical to maintaining business continuity and protecting sensitive systems from exploitation.