CVE-2025-66675: Apache Struts has a Denial of Service vulnerability

December 10, 2025

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

References

cve.org/CVERecord?id=CVE-2025-64775
cwiki.apache.org/confluence/display/WW/S2-068
github.com/advisories/GHSA-rg58-xhh7-mqjw
github.com/apache/struts
github.com/apache/struts/commit/831568929cfba700f790f6ebe6e335f9f33fb468
nvd.nist.gov/vuln/detail/CVE-2025-66675

Code Behaviors & Features

Detect and mitigate CVE-2025-66675 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →