CVE-2023-41835 in Struts
Summary
by MITRE • 12/05/2023
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/28/2025
This vulnerability resides within the Apache Struts framework's handling of multipart file uploads, specifically exposing a directory traversal and resource management flaw that can lead to denial of service and potential information disclosure. The issue manifests when processing multipart requests where certain form fields exceed the configured maxStringLength limit, causing the system to prematurely terminate validation while leaving uploaded files in the temporary storage directory. This behavior creates a persistent state where files remain accessible on the filesystem even though the request should have been rejected due to validation failures.
The technical flaw stems from improper cleanup mechanisms within Struts' multipart processing pipeline. When validation fails due to field length limits, the framework fails to properly remove temporary files that were already created during the upload process. These files remain in the struts.multipart.saveDir directory, creating a resource leak that can be exploited by attackers to consume disk space or potentially gain access to sensitive data that was uploaded but not properly validated. The vulnerability operates at the application layer and can be classified under CWE-400 as an Uncontrolled Resource Consumption vulnerability, specifically manifesting as a denial of service condition through persistent file storage.
The operational impact of this vulnerability extends beyond simple resource consumption, as it can enable attackers to perform persistent denial of service attacks by filling up disk space with temporary files. Additionally, the presence of these files in the temporary directory may expose sensitive information if the directory permissions are not properly configured, potentially allowing unauthorized access to uploaded content. Attackers could leverage this vulnerability to exhaust system resources or potentially gain insights into the application's operation through the presence of these temporary files. This vulnerability aligns with ATT&CK technique T1499.004 for resource exhaustion and could support broader attack chains involving information gathering through file system reconnaissance.
The recommended mitigation strategy involves upgrading to patched versions of the Struts framework as specified in the advisory. Version 2.5.32 and 6.1.2.2 provide the necessary fixes to ensure proper cleanup of temporary files regardless of validation outcomes. Additionally, system administrators should implement proper monitoring of the struts.multipart.saveDir directory to detect unusual file accumulation patterns. Configuration hardening measures including setting restrictive permissions on temporary directories, implementing automatic cleanup scripts, and monitoring disk space utilization can provide additional defense-in-depth. Organizations should also consider implementing input validation controls at multiple layers of their application architecture to reduce the likelihood of encountering such conditions and ensure that temporary file management operates correctly even under error conditions.