CVE-2025-64775 is a denial of service vulnerability classified under CWE-459 (Incomplete Cleanup) affecting the Apache Struts framework, a widely used open-source framework for building Java web applications. The vulnerability exists in the multipart request processing component, where temporary files created during request handling are not properly cleaned up. This incomplete cleanup leads to file leaks on the server's disk, which can accumulate over time or rapidly if exploited with crafted multipart requests. The consequence is disk exhaustion, which can cause the affected server to become unresponsive or crash, resulting in denial of service. The vulnerability affects a broad range of Apache Struts versions, specifically from 2.0.0 through 6.7.0 and from 7.0.0 through 7.0.3. The Apache Software Foundation has addressed this issue in versions 6.8.0 and 7.1.1 by ensuring proper cleanup of temporary files. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability can be triggered remotely without authentication by sending specially crafted multipart HTTP requests, making it a significant risk for exposed web applications using vulnerable Struts versions. The root cause is a failure to delete temporary files after processing multipart/form-data requests, which are commonly used for file uploads in web applications. This flaw can be exploited to fill up disk space, potentially leading to application downtime or server crashes, impacting service availability.

For European organizations, the impact of CVE-2025-64775 can be substantial, especially for those relying on Apache Struts in critical web applications such as government portals, financial services, healthcare systems, and large enterprises. The denial of service caused by disk exhaustion can disrupt business operations, degrade user experience, and potentially cause cascading failures in dependent systems. Organizations with limited disk monitoring or insufficient resource management are particularly vulnerable. The downtime could lead to financial losses, reputational damage, and regulatory compliance issues, especially under GDPR where service availability and data integrity are important. Since the vulnerability can be exploited remotely without authentication, attackers can easily target exposed endpoints. The lack of known exploits currently provides a window for proactive mitigation, but the widespread use of Apache Struts in Europe increases the attack surface. Additionally, critical infrastructure and public sector entities in Europe that use Apache Struts for web services may face increased risk of targeted denial of service attacks, potentially affecting national digital services and citizen access to essential online resources.

1. Immediate upgrade to Apache Struts versions 6.8.0 or 7.1.1, which contain the fix for this vulnerability, is the most effective mitigation. 2. Implement strict input validation and limit the size and number of multipart requests accepted by the server to reduce the risk of resource exhaustion. 3. Monitor disk usage continuously on servers running Apache Struts to detect abnormal increases in temporary file storage. 4. Configure web application firewalls (WAFs) to detect and block suspicious multipart/form-data requests that could exploit this vulnerability. 5. Employ automated cleanup scripts or system-level monitoring to remove orphaned temporary files periodically as a temporary mitigation if immediate patching is not feasible. 6. Conduct thorough inventory and audit of all applications using Apache Struts to identify vulnerable versions and prioritize patching. 7. Restrict network access to web applications where possible, limiting exposure to untrusted networks. 8. Educate development and operations teams about the vulnerability and ensure secure coding and deployment practices to prevent similar issues. 9. Review and update incident response plans to include scenarios involving denial of service due to resource exhaustion.