HTTP Request Smuggling in akka-http-core

GHSA-2w7w-2j92-44hx · CVE-2021-23339

Published May 10, 2021 · Modified Mar 13, 2026

Description

A vulnerable Akka HTTP server will accept a malformed message and hand it over to the user. If the user application proxies this message to another server unchanged and that server also accepts that message but interprets it as two HTTP messages, the second message has reached the second server without having been inspected by the proxy.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-23339
WEB https://github.com/akka/akka-http/pull/3754%23issuecomment-779265201
WEB https://github.com/akka/akka-http/commit/e3a4935151c91cee28e65e6b894dd50839ef9d34
WEB https://doc.akka.io/docs/akka-http/10.1/security/2021-02-24-incorrect-handling-of-Transfer-Encoding-header.html
WEB https://snyk.io/vuln/SNYK-JAVA-COMTYPESAFEAKKA-1075043

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes