CVE-2025-66675 is a vulnerability classified under CWE-459 (Incomplete Cleanup) affecting the Apache Struts framework, specifically in its multipart request processing component. The flaw causes temporary files created during multipart/form-data requests to not be properly cleaned up, resulting in file leaks that accumulate on disk. Over time, this accumulation can exhaust disk space, leading to Denial of Service (DoS) conditions where the affected server becomes unresponsive or crashes due to lack of storage resources. The vulnerability affects a broad range of Apache Struts versions from 2.0.0 through 6.7.4 and 7.0.0 through 7.0.3, indicating a long-standing issue spanning multiple major releases. The CVSS v3.1 base score is 8.2, reflecting high severity with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), no integrity impact (I:N), and high availability impact (A:H). Exploitation is straightforward as it requires only sending crafted multipart requests to the vulnerable server. Although no active exploits have been reported, the potential for disruption is significant given the ease of triggering disk exhaustion. The Apache Software Foundation has addressed the issue in versions 6.8.0 and 7.1.1, and users are strongly encouraged to upgrade. This vulnerability is related to CVE-2025-64775, which also addresses affected versions around 6.7.4, indicating a cluster of multipart processing issues.

For European organizations, the impact of CVE-2025-66675 can be substantial, particularly for those relying on Apache Struts for critical web applications and services. The vulnerability can lead to Denial of Service by exhausting disk space, causing application downtime and potential disruption of business operations. This is especially critical for sectors such as finance, government, healthcare, and e-commerce, where availability and uptime are paramount. The limited confidentiality impact means sensitive data leakage is unlikely, but service unavailability can indirectly affect customer trust and regulatory compliance, including GDPR requirements for service continuity. Organizations with high-volume web traffic are at greater risk due to the ease of triggering multipart request processing repeatedly to exhaust resources. The absence of required authentication or user interaction lowers the barrier for attackers, increasing the threat surface. Additionally, the long range of affected versions means many legacy systems may still be vulnerable, increasing the scope of impact across European enterprises.

1. Immediate upgrade of Apache Struts to versions 6.8.0 or 7.1.1 where the vulnerability is fixed. 2. Implement strict resource limits on multipart request processing, such as limiting the size and number of temporary files created per request. 3. Monitor disk usage closely on servers running Apache Struts to detect unusual growth in temporary files or disk consumption. 4. Employ web application firewalls (WAFs) with rules to detect and block abnormal multipart/form-data requests that could trigger the vulnerability. 5. Conduct regular audits of web server logs to identify patterns of multipart request abuse. 6. For legacy systems that cannot be immediately upgraded, consider isolating them behind reverse proxies that can filter or rate-limit multipart requests. 7. Educate development and operations teams about the vulnerability and ensure patch management processes prioritize this update. 8. Review multipart request handling configurations and disable unnecessary multipart support if not required by the application.