CVE-2025-66675

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-66675
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66675.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66675
Aliases
Published
2025-12-10T10:16:02.170Z
Modified
2026-03-15T22:51:34.685806Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
Summary
[none]
Details

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.

This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.

Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

It's related to  https://cve.org/CVERecord?id=CVE-2025-64775  - this CVE addresses missing affected version 6.7.4

References

Affected packages

Git / github.com/apache/struts

Affected ranges

Type
GIT
Repo
https://github.com/apache/struts
Events
Introduced
2c0a197cea8fdc7d8cda5eeaa15a1c76507ac0a5
Last affected
60a1a2642ae7ddf74c0062fe37b3b57f83a0588e
Introduced
68fb49c10e083dce829476778eec726fc90c8c38
Fixed
80225c7169436985c002ad258e6fd341c766829b
Introduced
1d95543fbf2c873d5dab1773f951c38e3220b4e5
Fixed
08a5eddc33c48a38fa3732fca0d216510c52dbab
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "last_affected": "2.3.37"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.8.0"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.1.1"
        }
    ]
}

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "2.5.0"
            },
            {
                "last_affected": "2.5.33"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66675.json"