Critical Apache Struts Vulnerability Exposes Systems to Disk Exhaustion Attacks
A significant security vulnerability has been identified in Apache Struts, a widely used open-source framework for developing Java-based web applications. This flaw, designated as CVE-2025-64775, allows attackers to exploit the framework’s multipart request processing mechanism, potentially leading to disk exhaustion and rendering affected systems inoperable.
Understanding the Vulnerability
The core of this vulnerability lies in how Apache Struts handles multipart requests—requests that include files uploaded by users. Due to improper management of temporary files during this process, an attacker can craft requests that cause the server to create and retain an excessive number of temporary files. Over time, this accumulation can consume all available disk space, leading to a denial-of-service (DoS) condition.
Impact on Systems
When a server’s disk space is exhausted, it can no longer perform essential operations, causing applications to become unresponsive or crash. This disruption can have severe consequences for businesses, including operational downtime, loss of data, and potential reputational damage. Given that this vulnerability can be exploited without authentication, it poses a significant risk, especially to internet-facing applications.
Affected Versions
The vulnerability affects multiple versions of Apache Struts, including:
– Struts 2.0.0 to 2.3.37 (End-of-Life)
– Struts 2.5.0 to 2.5.33 (End-of-Life)
– Struts 6.0.0 to 6.7.0
– Struts 7.0.0 to 7.0.3
Organizations using these versions are at risk and should take immediate action to mitigate potential threats.
Recommended Actions
To address this critical vulnerability, the Apache Software Foundation has released patched versions of Struts:
– Struts 6.8.0 or later within the 6.x branch
– Struts 7.1.1 or later within the 7.x branch
Organizations are strongly advised to upgrade to these versions promptly. The patches resolve the file-leak issue while maintaining backward compatibility, ensuring that existing applications continue to function without requiring code modifications.
Mitigation Strategies
For organizations unable to upgrade immediately, the following interim measures are recommended:
– Monitor Disk Usage: Implement monitoring tools to detect unusual disk usage patterns that may indicate exploitation attempts.
– Restrict Multipart Request Sizes: Configure the server to limit the size of multipart requests, reducing the potential impact of an attack.
– Regular Maintenance: Schedule regular maintenance to clean up temporary files and ensure that disk space is managed effectively.
Conclusion
The discovery of CVE-2025-64775 underscores the importance of proactive security measures in software development and maintenance. Organizations utilizing Apache Struts must prioritize upgrading to the latest patched versions to protect their systems from potential disk exhaustion attacks. By staying vigilant and implementing recommended security practices, businesses can safeguard their operations against such vulnerabilities.
