S2-068 - Apache Struts 2 Wiki - Apache Software Foundation

S2-068 - Apache Struts 2 Wiki - Apache Software Foundation
DUE TO SPAM, SIGN-UP IS DISABLED. Goto
Selfserve wiki signup
and request an account.
Apache Struts 2 Wiki
Child pages
Security Bulletins
S2-068
Browse pages
tachments (0)
Page History
Resolved comments
Page Information
View in Hierarchy
View Source
Export to PDF
Export to Word
Copy Page Tree
Jira links
S2-068
Created by
Lukasz Lenart
, last modified on
Dec 06, 2025
Summary
File leak in multipart request processing causes disk exhaustion (DoS)
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Denial of service
Maximum security rating
Important
Recommendation
Upgrade to Struts 6.8.0 or 7.1.1 at least
Affected Software
Struts 2.0.0 through Struts 2.3.37 (
EOL
Struts
2.5.0 through
Struts
2.5.33 (
EOL
Struts 6.0.0 through Struts 6.7.4
Struts 7.0.0 through Struts 7.0.3
Reporters
Nicolas Fournier
CVE Identifier
CVE-2025-64775
Problem
If support for file upload is enabled, file leak in multipart request processing causes disk exhaustion.
Solution
Upgrade to Struts 6.8.0 or upgrade to Struts 7.1.1 at least.
Backward compatibility
This change is backward compatible.
Workaround
Define a temporary folder used to store uploaded files with limited size or on the dedicated volume which won't affect system files. Or disable file upload support in the framework if not used.
No labels
Overview
Content Tools
Atlassian Confluence Open Source Project License
granted to Apache Software Foundation.
Evaluate Confluence today
Atlassian Confluence
8.5.31
Printed by Atlassian Confluence 8.5.31
Report a bug
Atlassian News
Atlassian
{"serverDuration": 55, "requestCorrelationId": "947d2a26329d0641"}