decodeRequestWith which handle compressed request data did not limit the amount of uncompressed
data flowing out of it. In combination with common request directives like
formField, this can lead
to excessive memory usage ultimately leading to an out of memory situation when highly compressed data is received
(so-called “Zip Bomb”).
Any code that uses
decodeRequestWith is likely to be affected.
The CVSS score of this vulnerability is 7.3 (High), based on vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:W/RC:C.
Rationale for the score:
All previously released Akka HTTP versions are affected:
10.1.xversions prior to
10.0.xversions prior to