I am looking into CVE-2025-64775, and which Apache Struts2 versions are affected.
My findings on the web are inconsistent. Lukasz, can you confirm that this would not affect versions of Struts 6 above Struts 6.7.0? Thank you, Davo On Mon, Dec 1, 2025 at 8:45 AM Lukasz Lenart <[email protected]> wrote: > Severity: important > > Affected versions: > > - Apache Struts (org.apache.struts:struts2-core) 2.0.0 through 6.7.0 > - Apache Struts (org.apache.struts:struts2-core) 7.0.0 through 7.0.3 > > Description: > > Denial of Service vulnerability in Apache Struts, file leak in > multipart request processing causes disk exhaustion. > > This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 > through 7.0.3. > > Users are recommended to upgrade to version 6.8.0 or 7.1.1, which > fixes the issue. > > Credit: > > Nicolas Fournier (reporter) > > References: > > https://cwiki.apache.org/confluence/display/WW/S2-068 > https://struts.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2025-64775 > > > On behalf of the Apache Struts project > Łukasz Lenart > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
