Hello, Are Struts 6.x client applications vulnerable in case they do not rely on file uploads feature and they have explicitly disabled file upload support via struts.multipart.enabled config property (as explained in https://struts.apache.org/core-developers/action-file-upload#disabling-file-upload-support)?
Kind Regards, Georgi On 2025/12/01 14:44:54 Lukasz Lenart wrote: > Severity: important > > Affected versions: > > - Apache Struts (org.apache.struts:struts2-core) 2.0.0 through 6.7.0 > - Apache Struts (org.apache.struts:struts2-core) 7.0.0 through 7.0.3 > > Description: > > Denial of Service vulnerability in Apache Struts, file leak in > multipart request processing causes disk exhaustion. > > This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 > through 7.0.3. > > Users are recommended to upgrade to version 6.8.0 or 7.1.1, which > fixes the issue. > > Credit: > > Nicolas Fournier (reporter) > > References: > > https://cwiki.apache.org/confluence/display/WW/S2-068 > https://struts.apache.org/ > https://www.cve.org/CVERecord?id=CVE-2025-64775 > > > On behalf of the Apache Struts project > Łukasz Lenart > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
