Hi Lukasz, Thank you for your confirmation.
S2-068 https://cwiki.apache.org/confluence/display/WW/S2-068 Under the Solution section, the page stands "Upgrade to Struts 6.8.0", should it be updated to "Upgrade to Struts 6.7.0"? Thanks, Davo On Fri, Dec 5, 2025 at 12:17 AM Łukasz Lenart <[email protected]> wrote: > I missed 6.7.4, sorry, my bad :( Any version above 6.7.x is fine. > > czw., 4 gru 2025 o 21:36 David Brunstein <[email protected]> > napisał(a): > > > > I am looking into CVE-2025-64775, and which Apache Struts2 versions are > > affected. > > > > My findings on the web are inconsistent. Lukasz, can you confirm that > this > > would not affect versions of Struts 6 above Struts 6.7.0? > > > > Thank you, > > Davo > > > > On Mon, Dec 1, 2025 at 8:45 AM Lukasz Lenart <[email protected]> > > wrote: > > > > > Severity: important > > > > > > Affected versions: > > > > > > - Apache Struts (org.apache.struts:struts2-core) 2.0.0 through 6.7.0 > > > - Apache Struts (org.apache.struts:struts2-core) 7.0.0 through 7.0.3 > > > > > > Description: > > > > > > Denial of Service vulnerability in Apache Struts, file leak in > > > multipart request processing causes disk exhaustion. > > > > > > This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 > > > through 7.0.3. > > > > > > Users are recommended to upgrade to version 6.8.0 or 7.1.1, which > > > fixes the issue. > > > > > > Credit: > > > > > > Nicolas Fournier (reporter) > > > > > > References: > > > > > > https://cwiki.apache.org/confluence/display/WW/S2-068 > > > https://struts.apache.org/ > > > https://www.cve.org/CVERecord?id=CVE-2025-64775 > > > > > > > > > On behalf of the Apache Struts project > > > Łukasz Lenart > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
