The HTTP specification allows arbitrary nesting
comment elements in
User-Agent and other headers. While parsing a request containing a
header with deeply nested comments, Akka HTTP may fail with a stack overflow in the parser. Stack overflows
are handled as fatal errors in Akka leading to a complete shutdown of the application.
Based on our assessment, the CVSS score of this vulnerability is 6.7, based on vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C).
An Akka HTTP application server which is exposed to the internet can be remotely crashed
by sending a crafted
User-Agent header leading to a loss of availability.
Starting from Akka HTTP 10.2.7, parsing of nested comments will be limited to a configurable maximum depth.
akka.http.parsing.max-comment-parsing-depth in the @ref:configuration for
more information. The default value for that setting is currently conservatively set to
akka.http.server.parsing.modeled-header-parsing = off to avoid parsing headers to models.
In this case, Akka HTTP will report most headers as
RawHeaders. This will likely have
consequences for downstream user code which expects headers to be already parsed.
Thanks, Simone Quatrini of SureCloud, for bringing this issue to our attention.