We are happy to announce the 10.2.4 and 10.1.14 releases of Akka HTTP. This release is a security fix release.
The vulnerability cannot be exploited using just Akka HTTP itself. Instead, Akka HTTP must be used as a proxy and the downstream server must be vulnerable itself, so
that the proxy and the downstream server disagree on how to interpret a malformed request containing both
Content-Length headers potentially
leading to a “Request Smuggling” vulnerability. If you are using Akka HTTP as a reverse proxy, make sure to upgrade to the latest version.
Starting from this version, only a single
Transfer-Encoding: chunked header is allowed. HTTP/1.1 specifies other encodings, however, those are not supported or
implemented in Akka HTTP. Formerly, Akka HTTP would just pass on unsupported
Transfer-Encoding headers to the user which lead to the above security issue. Since
Akka HTTP implements the “Transfer” part of the protocol, it seems reasonable to lock down allowed values for
Transfer-Encoding to prevent security issues like this.
Please let us know if this leads to compatibility problems with your software.
commits added removed 4 154 96 Johan Andrén 3 82 12 Johannes Rudolph 2 966 967 Nitika Agarwal 1 171 4 Arman Bilge 1 0 10 Sathiya 1 5 0 Ignasi Marimon-Clos
Akka by Lightbend
The Akka core team is employed by Lightbend. If you’re looking to take your Akka systems to the next level, let’s set up a time to discuss our enterprise-grade expert support, self-paced education courses, and technology enhancements that help you manage, monitor and secure your Akka systems - from development to production.
– The Akka Team