3 May 2017
Handling a request that carries an Accept header with an unsupported media range starting with a wildcard but having a specific subtype (e.g.
*/boom) leads to a stack overflow during negotiation of the content type. Per default, stack overflows are treated as fatal errors, so that the JVM process will shut itself down immediately.
Please subscribe to the akka-security mailing list to be notified promptly about future security issues.
The CVSS score of this vulnerability is 7.8 (High), based on vector (AV:N/AC:L/Au:N/C:N/I:N/A:C).
All Akka HTTP servers using the high-level routing DSL are affected. The infinite recursion happens inside the
complete directive which is used in every Akka HTTP application using the high-level DSL.
A remote attacker that is able to send an HTTP request with such a malformed Accept header to an Akka HTTP application is able to cause a StackOverflowException and if the exception remains unhandled effectively shut down the server.
Applications written using only the low-level API from akka-http-core but not the routing DSL are not affected.
- akka-http prior to
Notably not affected:
- Play Framework (regardless of used server backend)
- Lagom Framework
- Low-level akka-http-core APIs
220.127.116.11(experimental) (please upgrade to the actively maintained
Please note that the
18.104.22.168 release contains no other changes except the single patch that addresses the vulnerability. Binary and source compatibility has been maintained so the upgrade procedure is as simple as changing the library dependency.
If you have any questions or need any help, please contact [email protected].
We would like to thank Martins Rumkovskis for finding and reporting this vulnerability.
At the same time we would like to remind our users that security related issues should be reported using our [email protected] alias, such that we can prevent a vulnerability from being exploited while we work on a workaround or fix.