Akka Http 10.0.2 and 2.4.11.1 Security Patch Released!
January 23 2017
Konrad 'ktoso' Malawski

Dear hakkers,

This is to announce the immediate availability of a security patch release, addressing a potential denial of service attack targeting Akka HTTP in versions listed below. The vulnerability was brought to our attention by Dmitry Kolesnikov and Lari Hotari whom we’d like to thank for their thorough investigation and following our security process.

Description of Vulnerability

For requests containing request bodies (including request methods which would normally not include entities like GET requests), a mistake in completion handling of a connection could lead to memory leaking after the connection had been closed before the entity was consumed. This may eventually lead to a failure of the system due to being out of memory.

Affected Versions

  • (experimental) Akka HTTP 2.4.11 and prior,
  • (stable) Akka HTTP 10.0.1 and prior.

Fixed Versions

We have prepared patches for the affected versions, and have released the following versions which resolve the issue:

  • Akka HTTP 2.4.11.1 (Scala 2.11)
  • Akka HTTP 10.0.2 (Scala 2.11, 2.12)

The patched releases contain no other changes except the single patch that addresses the memory leak vulnerability. Binary and source compatibility has been maintained so the upgrade procedure is as simple as changing the library dependency.

Additional Important Information

The full list of addressed issues is available in the 10.0.2 milestone.

Note that Play and Lagom applications are not impacted by this vulnerability, regardless of whether they are using the Akka HTTP backend or the Netty backend.

Further details are explained in the Akka documentation’s security announcements section.

If you have any questions or need any help, please contact support@lightbend.com.

If you are not yet subscribed to our security notifications mailing list, we higly recommend you do so. It is located on google groups: akka-security.

– The Akka Team

Past News Items
May 03 2017
Dear hakkers, we — the Akka HTTP committers — are happy to announce Akka Http 10.0.6, which is the sixth release of the Akka Http 10.0 series. It contains an...
May 02 2017
Dear hakkers, we—the Akka committers—are proud to announce Akka 2.5.1, which is the first maintenance release of Akka 2.5. Some notable improvements and bug fixes are: * Limiting the number...
May 02 2017
Dear hakkers, We are proud to announce Akka 2.4.18, which is another maintenance release of Akka 2.4. Some notable improvements and bug fixes are: * Limiting number of concurrent PersistentActor...
Apr 13 2017
Dear hakkers, we—the Akka committers—are proud to be able to announce the availability of Akka 2.5.0. Since the release of Akka 2.4.0 (already 18 months ago) we have incrementally added...
Mar 30 2017
Dear hakkers, we—the Akka committers—are pleased to be able to announce the availability of Akka 2.5.0-RC2 (SECOND RELEASE CANDIDATE). This is what we intend to ship as 2.5.0 final unless...
Mar 17 2017
Dear hakkers, we — the Akka HTTP committers — are happy to announce Akka Http 10.0.5, which is the fifth maintenance release of the Akka Http 10.0 series. It is...
Mar 17 2017
Dear hakkers, we—the Akka committers—are proud to be able to announce the availability of Akka 2.5.0-RC1 (FIRST RELEASE CANDIDATE). Since the release of Akka 2.4.0 (already 18 months ago) we...
Feb 24 2017
Dear hakkers, we—the Akka committers—proudly present the second development milestone for Akka 2.5. Since the release of Akka 2.4.0 (already 17 months ago) we have incrementally added many new features...