CVE-2021-42697

HIGH

Akka HTTP Server < 10.1.15 - Denial of Service

Title source: rule

Description

Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.

Exploits (2)

exploitdb WORKING POC

by cxosmo · pythonremotemultiple

https://www.exploit-db.com/exploits/50892

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by cxosmo · poc

https://github.com/cxosmo/CVE-2021-42697

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/167018/Akka-HTTP-10.1.14-Denial-Of-Service.html

[Vendor Advisory] https://akka.io/blog/

[Release Notes, Vendor Advisory] https://akka.io/blog/news/2021/11/02/akka-http-10.2.7-released

[Release Notes, Vendor Advisory] https://akka.io/blog/news/2021/11/22/akka-http-10.1.15-released

[Vendor Advisory] https://doc.akka.io/docs/akka-http/current/security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.html

Scores

CVSS v3 7.5

EPSS 0.7554

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-674

Status published

Products (8)

akka/http_server 10.1.0 - 10.1.15

com.typesafe.akka/aakka-http-core_2.13.0-M3 10.1.0Maven

com.typesafe.akka/akka-http-core_2.11 10.1.0 - 10.1.15Maven

com.typesafe.akka/akka-http-core_2.12 10.1.0 - 10.1.15Maven

com.typesafe.akka/akka-http-core_2.13 10.1.0 - 10.1.15Maven

com.typesafe.akka/akka-http-core_2.13.0-M5 10.1.0Maven

com.typesafe.akka/akka-http-core_2.13.0-RC2 10.1.0Maven

com.typesafe.akka/akka-http-core_2.13.0-RC3 10.1.0Maven

Published Nov 02, 2021

Tracked Since Feb 18, 2026