Critical Apache Struts 2 Vulnerability Exposes Servers to Denial-of-Service Attacks
A significant security flaw has been identified in Apache Struts 2, a widely utilized web application framework, which could allow attackers to execute denial-of-service (DoS) attacks by exploiting a file leak during multipart request processing. This vulnerability, designated as CVE-2025-64775, affects multiple versions of the framework and poses a substantial risk to organizations relying on Struts for their web applications.
Understanding the Vulnerability
The core issue lies in the file upload functionality of Apache Struts 2. When processing multipart requests, a file leak can occur, leading to disk exhaustion. Attackers can exploit this flaw by continuously sending multipart requests, causing the server’s storage capacity to be overwhelmed. As disk space is depleted, the server becomes incapable of processing legitimate requests, resulting in a complete denial of service.
Affected Versions and Recommendations
The vulnerability impacts several versions of Apache Struts 2 across different release lines:
– Struts 2.0.0 to 2.3.37: These versions have reached end-of-life and are vulnerable. Immediate upgrades are strongly recommended.
– Struts 2.5.0 to 2.5.33: Also end-of-life and vulnerable. Organizations should upgrade without delay.
– Struts 6.0.0 to 6.7.4: Currently maintained but vulnerable. Updating to a secure version is necessary.
– Struts 7.0.0 to 7.0.3: Similarly maintained yet vulnerable. Prompt updates are advised.
To mitigate the risk, organizations should upgrade to Struts 6.8.0 or 7.1.1, as these versions contain patches addressing the vulnerability. The updates are backward compatible, ensuring that existing functionalities remain unaffected during the transition.
Mitigation Strategies
For organizations unable to implement immediate upgrades, alternative measures can be considered:
– Configure Temporary Folders with Limited Storage: By setting up dedicated temporary directories with restricted storage capacity, the impact of potential attacks can be minimized.
– Disable File Upload Support: If file upload functionality is not essential for operations, disabling it can eliminate the attack vector associated with this vulnerability.
Discovery and Advisory
Security researcher Nicolas Fournier discovered this critical vulnerability. The Apache Struts team has issued an advisory urging all developers, system administrators, and organizations utilizing Struts-based applications to assess their environments and apply the necessary patches promptly.
Broader Implications
This vulnerability underscores the importance of regular software maintenance and timely application of security patches. Apache Struts has been a target for attackers in the past, with notable incidents such as the 2017 Equifax breach highlighting the potential consequences of unpatched vulnerabilities. Organizations must remain vigilant, ensuring that their systems are up-to-date and that security best practices are consistently followed.
Conclusion
The discovery of CVE-2025-64775 in Apache Struts 2 serves as a critical reminder of the ever-present threats in the cybersecurity landscape. Organizations utilizing affected versions should prioritize upgrading to the recommended secure versions or implement appropriate mitigation strategies to safeguard their systems against potential denial-of-service attacks.
