CVE-2025-66675

EUVD-2025-202417
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

It's related to  https://cve.org/CVERecord?id=CVE-2025-64775  - this CVE addresses missing affected version 6.7.4
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CISA-ADPADP
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Affected Products (NVD)
VendorProductVersion
apachestruts
2.0.0 ≤
𝑥
≤ 2.3.37
apachestruts
2.5.0 ≤
𝑥
≤ 2.5.33
apachestruts
6.0.0 ≤
𝑥
< 6.8.0
apachestruts
7.0.0 ≤
𝑥
< 7.1.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cve.org/CVERecord?id=CVE-2025-64775
https://cwiki.apache.org/confluence/display/WW/S2-068