CVE-2021-42697

HIGH

Akka HTTP 10.1.0-10.1.14 and 10.2.0-10.2.6 - Denial of Service via User-Agent Header with Nested Comments

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-42697. PoCs published by cxosmo.

AI-analyzed exploit summary This exploit triggers a denial of service (DoS) in Akka HTTP by sending a request with a nested header comment payload exceeding the default header limit, causing a stack overflow. It includes a connectivity check followed by the malicious request.

Description

Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.

Exploits (2)

exploitdb WORKING POC
by cxosmo · pythonremotemultiple
https://www.exploit-db.com/exploits/50892

This exploit triggers a denial of service (DoS) in Akka HTTP by sending a request with a nested header comment payload exceeding the default header limit, causing a stack overflow. It includes a connectivity check followed by the malicious request.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Akka HTTP 10.1.x < 10.1.15 & 10.2.x < 10.2.7
No auth needed
Prerequisites: Network access to the target Akka HTTP server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by cxosmo · poc
https://github.com/cxosmo/CVE-2021-42697

This PoC demonstrates a Denial of Service (DoS) attack against Akka HTTP servers by sending a User-Agent header with deeply nested comments, triggering stack exhaustion. The script first checks target reachability and then sends the malicious payload.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7
No auth needed
Prerequisites: Network access to the target Akka HTTP server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://akka.io/blog/news/2021/11/02/akka-http-10.2.7-released
Release Notes, Vendor Advisory x_refsource_misc
https://akka.io/blog/news/2021/11/22/akka-http-10.1.15-released
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/167018/Akka-HTTP-10.1.14-Denial-Of-Service.html
Vendor Advisory x_refsource_misc
https://akka.io/blog/

Scores

CVSS v3 7.5
EPSS 0.7554
EPSS Percentile 98.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-674
Status published
Products (8)
akka/http_server 10.1.0 - 10.1.15
com.typesafe.akka/aakka-http-core_2.13.0-M3 10.1.0Maven
com.typesafe.akka/akka-http-core_2.11 10.1.0 - 10.1.15Maven
com.typesafe.akka/akka-http-core_2.12 10.1.0 - 10.1.15Maven
com.typesafe.akka/akka-http-core_2.13 10.1.0 - 10.1.15Maven
com.typesafe.akka/akka-http-core_2.13.0-M5 10.1.0Maven
com.typesafe.akka/akka-http-core_2.13.0-RC2 10.1.0Maven
com.typesafe.akka/akka-http-core_2.13.0-RC3 10.1.0Maven
Published Nov 02, 2021
Tracked Since Feb 18, 2026