LATEST RELEASE: 24.05 — Zero Trust, DB Sharding, Java 21, Rust Support, and More. Read Release Notes

Denial of Service via unlimited decoding with decodeRequest directive ("zip bomb")




Directives decodeRequest and decodeRequestWith which handle compressed request data did not limit the amount of uncompressed data flowing out of it. In combination with common request directives like entity(as), toStrict, or formField, this can lead to excessive memory usage ultimately leading to an out of memory situation when highly compressed data is received (so-called “Zip Bomb”).

Any code that uses decodeRequest or decodeRequestWith is likely to be affected.


The CVSS score of this vulnerability is 7.3 (High), based on vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:W/RC:C.

Rationale for the score:

Affected Versions

All previously released Akka HTTP versions are affected:

Not affected:

Fixed Versions