CVE-2023-41835

CVE-2023-41835: Apache Struts: excessive disk usage

Vendor Apache Software Foundation

Product Apache Struts

Weakness CWE-459

Published December 5, 2023

Last update November 4, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

Key dates

Disclosure timeline

December 5, 2023 CVE published

November 4, 2025 Record updated

Identifiers

CVE CVE-2023-41835

CWE CWE-459

Affected versions

Vendor Apache Software Foundation

Product Apache Struts

Affected ≥ 2.0.0 and ≤ 2.5.31

Vendor Apache Software Foundation

Product Apache Struts

Affected ≥ 6.1.2.1 and ≤ 6.3.0