CVE-2025-66675

CWE-4595 documents5 sources
Severity
8.2HIGH
EPSS
0.2%
top 59.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache StrutsApache Software Foundation Apache Struts
Timeline
PublishedDec 10

Description

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. It's related to https://cve.org/CVERecord?id=CVE-2025-64775 - this CVE addresses missing affected version 6.7.4

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages3 packages

NVDapache/struts6.0.06.8.0+3
Mavenorg.apache.struts:struts2-core2.0.06.8.0+1
CVEListV5apache_software_foundation/apache_struts2.0.06.7.*+1

🔴Vulnerability Details

3
CVEList
Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed2025-12-10
OSV
Apache Struts has a Denial of Service vulnerability2025-12-10
GHSA
Apache Struts has a Denial of Service vulnerability2025-12-10

🕵️Threat Intelligence

1
Wiz
CVE-2025-66675 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-66675 (HIGH CVSS 8.2) | Denial of Service vulnerability in | cvebase.io