CVE-2025-66675

Published Dec 10, 2025

Last updated 2 months ago

CVSS high 8.2

Overview

Description
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. It's related to  https://cve.org/CVERecord?id=CVE-2025-64775  - this CVE addresses missing affected version 6.7.4
Source
security@apache.org
NVD status
Analyzed
Products
struts

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.2
Impact score
4.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Severity
HIGH

Weaknesses

security@apache.org
CWE-459

Social media

Hype score
Not currently trending

  1. #VulnerabilityReport #ApacheStruts2 Apache Struts 2 DoS Flaw (CVE-2025-66675) Risks Server Crash via File Leak in Multipart Request Processing https://t.co/V3CMvIVQvk

    @Komodosec

    17 Jan 2026

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-66675 (CVSS:8.2, HIGH) is Awaiting Analysis. Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. Thi..https://t.co/TZW0VrIUXm #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    15 Dec 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-66675 Denial of Service Vulnerability in Apache Struts Multipart Request Proce... https://t.co/ekS60wVIo1 Vulnerability Notification: https://t.co/xhLrNnfyrO

    @VulmonFeeds

    10 Dec 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.CVE-2025-68493
  2. Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.CVE-2025-64775
  3. File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload . If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067CVE-2024-53677
  4. When a Multipart request is performed but some of the fields exceed the maxStringLength  limit, the upload files will remain in struts.multipart.saveDir  even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.CVE-2023-41835
  5. Apache Struts Remote Code Execution VulnerabilityCVE-2020-17530

References

Sources include official advisories and independent security research.