Dear hakkers,

This is to announce the immediate availability of a security patch release, addressing a potential denial of service attack targeting Akka HTTP in versions listed below. The vulnerability was brought to our attention by Dmitry Kolesnikov and Lari Hotari whom we’d like to thank for their thorough investigation and following our security process.

Description of Vulnerability

For requests containing request bodies (including request methods which would normally not include entities like GET requests), a mistake in completion handling of a connection could lead to memory leaking after the connection had been closed before the entity was consumed. This may eventually lead to a failure of the system due to being out of memory.

Affected Versions

• (experimental) Akka HTTP 2.4.11 and prior,
• (stable) Akka HTTP 10.0.1 and prior.

Fixed Versions

We have prepared patches for the affected versions, and have released the following versions which resolve the issue:

• Akka HTTP 2.4.11.1 (Scala 2.11)
• Akka HTTP 10.0.2 (Scala 2.11, 2.12)

The patched releases contain no other changes except the single patch that addresses the memory leak vulnerability. Binary and source compatibility has been maintained so the upgrade procedure is as simple as changing the library dependency.

Additional Important Information

The full list of addressed issues is available in the 10.0.2 milestone.

Note that Play and Lagom applications are not impacted by this vulnerability, regardless of whether they are using the Akka HTTP backend or the Netty backend.

Further details are explained in the Akka documentation’s security announcements section.

If you have any questions or need any help, please contact [email protected].

If you are not yet subscribed to our security notifications mailing list, we higly recommend you do so. It is located on google groups: akka-security.

– The Akka Team