2018-09-05
Directives decodeRequest
and decodeRequestWith
which handle compressed request data did not limit the amount of uncompressed
data flowing out of it. In combination with common request directives like entity(as)
, toStrict
, or formField
, this can lead
to excessive memory usage ultimately leading to an out of memory situation when highly compressed data is received
(so-called “Zip Bomb”).
Any code that uses decodeRequest
or decodeRequestWith
is likely to be affected.
The CVSS score of this vulnerability is 7.3 (High), based on vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:W/RC:C.
Rationale for the score:
All previously released Akka HTTP versions are affected:
10.1.x
versions prior to 10.1.5
10.0.x
versions prior to 10.0.14
Not affected:
BodyParser
s).