Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| com.typesafe.akka:akka-http-core_2.13.0-RC3(Maven) | 10.1.0 | N/A | N/A |
| com.typesafe.akka:akka-http-core_2.13.0-RC2(Maven) | 10.1.0 | N/A | N/A |
| com.typesafe.akka:akka-http-core_2.13.0-M5(Maven) | 10.1.0 | N/A | N/A |
| com.typesafe.akka:aakka-http-core_2.13.0-M3(Maven) | 10.1.0 | N/A | N/A |
| com.typesafe.akka:akka-http-core_2.13(Maven) | 10.1.0 | 10.1.15 | N/A |
| com.typesafe.akka:akka-http-core_2.13(Maven) | 10.2.0-M1 | 10.2.7 | N/A |
| com.typesafe.akka:akka-http-core_2.12(Maven) | 10.1.0 | 10.1.15 | N/A |
| com.typesafe.akka:akka-http-core_2.12(Maven) | 10.2.0-M1 | 10.2.7 | N/A |
| com.typesafe.akka:akka-http-core_2.11(Maven) | 10.1.0 | 10.1.15 | N/A |
CVSS Metrics
