8.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66675

CVE-2025-66675: Apache Struts has a Denial of Service vulnerability

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66675

CVE-2025-66675:

8.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.struts:struts2-core	maven	>= 2.0.0, < 6.8.0	6.8.0
org.apache.struts:struts2-core	maven	>= 7.0.0, < 7.1.1	7.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, CVE-2025-66675, is a Denial of Service in Apache Struts caused by a resource leak. When processing multipart/form-data requests, the JakartaMultiPartRequest class is used to handle file uploads and form fields. The underlying library, Apache Commons FileUpload, may create temporary files on disk for any part of the request, including regular form fields, if they exceed a certain size.

The vulnerability lies in the cleanUp() method of the org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest class. The original implementation only deleted temporary files associated with explicit file uploads, neglecting temporary files created for other form fields. This meant that with each specially crafted multipart request, temporary files were left behind on the server's disk. A malicious actor could repeatedly send such requests, causing the disk to fill up, which would lead to a Denial of Service as the server would no longer be able to write files.

The patch addresses this by introducing a list, allFileItems, which tracks every single item processed from the multipart request inside the processUpload method. The cleanUp method was then rewritten to iterate over this comprehensive list, ensuring that every temporary file created during the request processing is properly deleted, thus plugging the leak.

Vulnerable functions

org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.cleanUp

core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java

This function is responsible for deleting temporary files created during the processing of a multipart/form-data request. The vulnerable version of this function failed to delete temporary files associated with regular form fields (not just file uploads) that were written to disk by the underlying `commons-fileupload` library. This incomplete cleanup leads to a file leak, where each request can leave behind temporary files, eventually exhausting disk space and causing a Denial of Service.

org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.processUpload

core/src/main/java/org/apache/struts2/dispatcher/multipart/JakartaMultiPartRequest.java

This function is part of the multipart request parsing process. While not directly causing the leak, its original implementation is the root cause of the vulnerability. It failed to keep track of all temporary files created. The patch modifies it to add every `FileItem` to the `allFileItems` list, which is then used by the fixed `cleanUp` method to ensure no temporary files are left behind. An attacker would trigger this function as part of the exploitation process.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66675: Apache Struts has a Denial of Service vulnerability

CVE-2025-66675:

8.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.2

8.2

Basic Information

Basic Information

CVE-2025-66675: Apache Struts has a Denial of Service vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI