CVE-2025-64775 is a Denial of Service vulnerability classified under CWE-459 (Incomplete Cleanup) affecting the Apache Struts framework, a widely used open-source Java web application framework. The vulnerability exists in the multipart request processing component, where temporary files created during request handling are not properly cleaned up. This leads to file leaks that accumulate on the server's disk, eventually causing disk exhaustion and service disruption. The affected versions span a broad range, from 2.0.0 through 6.7.0 and 7.0.0 through 7.0.3, indicating a long-standing issue that was only recently addressed. The vulnerability can be exploited remotely without any authentication or user interaction, making it accessible to unauthenticated attackers over the network. The CVSS v3.1 base score of 7.5 reflects a high severity due to the ease of exploitation and the impact on availability. While no known exploits have been reported in the wild yet, the potential for denial of service attacks is significant, especially for organizations running critical web services on Apache Struts. The recommended remediation is to upgrade to Apache Struts versions 6.8.0 or 7.1.1, where the incomplete cleanup logic has been fixed. Additional technical controls such as limiting multipart request sizes and monitoring disk space usage can help mitigate the risk until patches are applied.

For European organizations, this vulnerability poses a significant risk to the availability of web applications built on Apache Struts. Disk exhaustion caused by file leaks can lead to service outages, impacting business continuity, customer trust, and potentially causing financial losses. Critical infrastructure and government services relying on Apache Struts may face operational disruptions. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation attempts. Organizations with high traffic web applications are particularly vulnerable due to the increased volume of multipart requests that can accelerate disk consumption. Additionally, denial of service incidents can have cascading effects on dependent systems and services. The impact is heightened in sectors such as finance, healthcare, and public administration, where uptime and service reliability are paramount.

1. Immediately upgrade Apache Struts to versions 6.8.0 or 7.1.1 where the vulnerability is patched. 2. Implement strict limits on multipart request sizes at the web server or application level to reduce the potential for disk exhaustion. 3. Monitor disk usage continuously on servers running Apache Struts to detect abnormal increases in temporary file storage. 4. Configure automated cleanup scripts or processes to remove orphaned temporary files if patching cannot be done immediately. 5. Employ web application firewalls (WAFs) with rules to detect and block suspicious multipart requests that could trigger the vulnerability. 6. Conduct regular security audits and vulnerability scans focusing on Apache Struts components. 7. Educate development and operations teams about the risks associated with multipart request handling and proper resource management. 8. Isolate critical applications on dedicated infrastructure to limit the blast radius of potential denial of service attacks.