Skip to main content

Ubuntu CVE-2025-64775

| EUVDEUVD-2025-200019 HIGH
Incomplete Cleanup (CWE-459)
2025-12-01 security@apache.org GHSA-xx7v-hqxh-cjr9
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 13:34 euvd
EUVD-2025-200019
Analysis Generated
Mar 15, 2026 - 13:34 vuln.today
PoC Detected
Jan 26, 2026 - 11:30 vuln.today
Public exploit code
CVE Published
Dec 01, 2025 - 16:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 49 maven packages depend on org.apache.struts:struts2-core (43 direct, 6 indirect)

Ecosystem-wide dependent count for version 6.0.0.

DescriptionCVE.org

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

Analysis

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.0, from 7.0.0 through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

Technical ContextAI

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Incomplete Cleanup (CWE-459).

RemediationAI

Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

More in Struts

View all
CVE-2013-1966 CRITICAL POC
9.3 Jul 10

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not

CVE-2016-3087 CRITICAL POC
9.8 Jun 07

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, a

CVE-2016-3081 HIGH POC
8.1 Apr 26

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, a

CVE-2014-0114 HIGH POC
7.5 Apr 30

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in o

CVE-2014-0112 HIGH POC
7.5 Apr 29

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which all

CVE-2017-12611 CRITICAL POC
9.8 Sep 20

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag in

CVE-2013-2115 HIGH POC
8.1 Jul 10

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not

CVE-2012-0394 MEDIUM POC
6.8 Jan 08

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers

CVE-2013-1965 CRITICAL POC
9.3 Jul 10

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute

CVE-2013-2134 CRITICAL POC
9.3 Jul 16

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted acti

CVE-2014-0094 MEDIUM POC
5.0 Mar 11

The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via t

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

Vendor StatusVendor

Ubuntu

Priority: Medium

Debian

libstruts1.2-java
Release Status Fixed Version Urgency
(unstable) fixed (unfixed) -

Share

CVE-2025-64775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy