CVE-2025-66675 is a denial of service vulnerability identified in the Apache Struts framework, a widely used open-source Java web application framework. The vulnerability stems from incomplete cleanup of temporary files during the processing of multipart HTTP requests, which are commonly used for file uploads. Specifically, when handling multipart requests, Apache Struts fails to properly remove temporary files, causing these files to accumulate on disk. Over time, this accumulation can exhaust available disk space, leading to denial of service conditions where the application or server becomes unresponsive or crashes due to lack of storage. This issue affects a broad range of Apache Struts versions, from 2.0.0 through 6.7.4 and 7.0.0 through 7.0.3, indicating a long-standing flaw that spans multiple major releases. The vulnerability is categorized under CWE-459 (Incomplete Cleanup), highlighting the failure to properly manage resource cleanup after request processing. Although no known exploits have been reported in the wild, the ease of triggering multipart requests and the direct impact on availability make this a significant risk. The Apache Software Foundation has addressed the issue in versions 6.8.0 and 7.1.1, recommending immediate upgrades. This vulnerability is related to CVE-2025-64775, which also addresses affected versions around 6.7.4. The lack of a CVSS score requires an assessment based on impact and exploitability factors.

For European organizations, the impact of CVE-2025-66675 can be substantial, particularly for those relying heavily on Apache Struts for critical web applications and services. The vulnerability primarily affects availability by enabling denial of service through disk exhaustion, which can disrupt business operations, cause downtime, and degrade user experience. Organizations in sectors such as finance, government, healthcare, and e-commerce, where Apache Struts is commonly deployed, may face operational interruptions and potential reputational damage. The risk is heightened in environments with limited disk monitoring or where temporary file cleanup is not regularly verified. Additionally, denial of service incidents can have cascading effects on dependent systems and services, amplifying the operational impact. While confidentiality and integrity are not directly compromised, the loss of availability can indirectly affect compliance with service level agreements and regulatory requirements prevalent in Europe, such as GDPR mandates on service continuity. The absence of known exploits suggests a window for proactive mitigation, but also means organizations should not underestimate the threat given the straightforward exploitation vector.

To mitigate CVE-2025-66675, European organizations should prioritize upgrading Apache Struts to versions 6.8.0 or 7.1.1, where the vulnerability is fixed. Beyond patching, organizations should implement enhanced monitoring of disk usage, particularly focusing on directories used for temporary file storage during multipart request processing. Automated alerts for abnormal disk space consumption can provide early warning of exploitation attempts. Configuring strict limits on multipart request sizes and the number of concurrent uploads can reduce the risk of resource exhaustion. Additionally, reviewing and hardening web server and application server configurations to isolate temporary file storage and ensure proper cleanup policies are enforced is recommended. Security teams should conduct regular audits of application logs to detect unusual multipart request patterns. In environments where immediate patching is not feasible, deploying web application firewalls (WAFs) with rules to detect and block suspicious multipart requests can provide temporary protection. Finally, educating developers and administrators about secure file upload handling and resource management best practices will help prevent similar issues.