CVE-2025-66675

CVE-2025-66675: Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed

Vendor Apache Software Foundation

Product Apache Struts

Weakness CWE-459

Published December 10, 2025

Last update December 10, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. It's related to https://cve.org/CVERecord?id=CVE-2025-64775 - this CVE addresses missing affected version 6.7.4

Key dates

Disclosure timeline

December 10, 2025 CVE published

December 10, 2025 Record updated

Identifiers

CVE CVE-2025-66675

CWE CWE-459

Affected versions

Vendor Apache Software Foundation

Product Apache Struts

Affected ≥ 2.0.0 and ≤ 6.7.*

Vendor Apache Software Foundation

Product Apache Struts

Affected ≥ 7.0.0 and ≤ 7.0.*