Akka Http 10.0.2 and 2.4.11.1 Security Patch Released!
January 23 2017
Konrad 'ktoso' Malawski

Dear hakkers,

This is to announce the immediate availability of a security patch release, addressing a potential denial of service attack targeting Akka HTTP in versions listed below. The vulnerability was brought to our attention by Dmitry Kolesnikov and Lari Hotari whom we’d like to thank for their thorough investigation and following our security process.

Description of Vulnerability

For requests containing request bodies (including request methods which would normally not include entities like GET requests), a mistake in completion handling of a connection could lead to memory leaking after the connection had been closed before the entity was consumed. This may eventually lead to a failure of the system due to being out of memory.

Affected Versions

  • (experimental) Akka HTTP 2.4.11 and prior,
  • (stable) Akka HTTP 10.0.1 and prior.

Fixed Versions

We have prepared patches for the affected versions, and have released the following versions which resolve the issue:

  • Akka HTTP 2.4.11.1 (Scala 2.11)
  • Akka HTTP 10.0.2 (Scala 2.11, 2.12)

The patched releases contain no other changes except the single patch that addresses the memory leak vulnerability. Binary and source compatibility has been maintained so the upgrade procedure is as simple as changing the library dependency.

Additional Important Information

The full list of addressed issues is available in the 10.0.2 milestone.

Note that Play and Lagom applications are not impacted by this vulnerability, regardless of whether they are using the Akka HTTP backend or the Netty backend.

Further details are explained in the Akka documentation’s security announcements section.

If you have any questions or need any help, please contact support@lightbend.com.

If you are not yet subscribed to our security notifications mailing list, we higly recommend you do so. It is located on google groups: akka-security.

– The Akka Team

Past News Items
Feb 23 2017
Dear hakkers, we — the Akka HTTP committers — are happy to announce the availability of the forth maintenance release of Akka HTTP 10.0. This release is a monthly maintenance...
Feb 10 2017
Dear hakkers, This is to announce the immediate availability of a security patch release, addressing a potential security issue with Java deserialization. An attacker that can connect to an ActorSystem...
Jan 26 2017
Dear hakkers, we — the Akka HTTP committers — are happy to announce the availability of the third maintenance release of Akka HTTP 10.0. This release also includes the security...
Jan 26 2017
Dear hakkers, we—the Akka committers—proudly present the first development milestone for Akka 2.5. Since the release of Akka 2.4.0 (already 16 months ago) we have incrementally added many new features...
Jan 23 2017
Dear hakkers, This is to announce the immediate availability of a security patch release, addressing a potential denial of service attack targeting Akka HTTP in versions listed below. The vulnerability...
Dec 22 2016
Dear hakkers, We are proud to announce Akka Http 10.0.1, which is the first maintenance release of the Akka Http 10.0 series, and also our small holiday present to you....
Dec 20 2016
Dear hakkers, We are proud to announce Akka 2.4.16, which is another maintenance release of Akka 2.4. Some notable improvements and bug fixes are: durable storage of Distributed Data, #21645...
Nov 22 2016
Dear hakkers, Today, we are proud and happy to announce the immediate availability of the fully stable version of Akka HTTP – 10.0.0, charmingly code named “X” by @jonas on...