—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Denial of Service Vulnerability in Apache Struts 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Apache Struts versions 2.0.0 to2.3.37

Apache Struts version 2.5.0 to2.5.33

Apache Struts version 6.0.0 to 6.7.4

Apache Struts version 7.0.0 to 7.0.3

Overview

A vulnerability has been reported in Apache Struts which could allow a remote attacker to cause Denial of Service (DoS) condition on the targeted system.

Target Audience:

Organizations and individuals using the affected Apache Struts.

Risk Assessment:

High risk denial of service and data manipulation.

Impact Assessment:

Potential for application crashes, process instability and service unavailability.

Description

Apache Struts is a free, open-source framework for creating enterprise-ready Java web applications.

This vulnerability exists in Apache struts due to a file leak during multipart request processing. An attacker could exploit this vulnerability by sending specially crafted HTTP requests to a vulnerable server, causing temporary files to accumulate rapidly and exhaust the servers disk space, leading to a denial-of-service condition.

Successful exploitation of this vulnerability could allow a remote attacker to cause Denial-of-Service attack (DoS) condition on the targeted system.

Solution

Apply appropriate software updates as mentioned by the vendor:

https://cwiki.apache.org/confluence/display/WW/S2-068

Vendor Information

Apache

https://cwiki.apache.org/confluence/display/WW/S2-068

References

Apache

https://cwiki.apache.org/confluence/display/WW/S2-068

CVE Name

CVE-2025-64775

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmlCv5cACgkQ3jCgcSdc

ys/XmQ/9GpO4TYO5EeDTOiDZcO/U3YXt5gOWRasejF5oP4TVhUnAIh5KpimY935Z

PaahI6ah7P4XohzaBXCTLA05jBo7wZD25KAuQUSpkdzLfOLN+sXEcH4zbknchwEo

q5O8B12Zd92934WgwHZhHYl3PPv4fcIBrLXgsR+q03iG54+JSoVpmX1o9+ixbjF/

DnmA2rN1uHPUc7N2yw1bNO1xx/Wzs9jcm2tLhgUdWu5VogyH65Hd55DppTZ8NC0i

macBqDrlcGRHtnMGbExCQ4dGee70MJXSS0T9FOoZAjEpiPAN6gwT+2w4xDHcRpaU

WC9rC7VeEaj1ch4cLVzfxnhc1/SiBqptR9ZDi+EgSCW+OMf0/wdaO9d9kpUY5E5C

DAePnFjo2OYo0L1zzMucxkRNF/LRKJtJMi/2yhxFU3HrW8OJpewN+uGMq8BlcJvQ

LqgUz0ZiFNNu/UCp09utDEQh2oS9BdY9jdFZhyuWpN3pAAbxmSLMFferTF1ibJ0Q

dYpq5aVu47iqwD9L8L3wjLyMZ+T3mzOt8IlUIgjJNFrJmA+TNyRq1uK7EwBNuFiA

VwiJMTbwaxIZjK0dC1qKiZs2rINBjTReZEl5qBd5n9Vx4GM16zHkDcVyXPiBp3Vg

Wo6avtOeBNKlZ9BUhrrIj61RhtH9nzAdMDSaK1Qi/EQ+ajGI3LY=

=zHWP

—–END PGP SIGNATURE—–