CVE-2021-23339
MEDIUM6.5EPSS 0.21%HTTP Request Smuggling in akka-http-core
Published: 5/10/2021Modified: 3/13/2026
Also known as:GHSA-2w7w-2j92-44hx
Description
A vulnerable Akka HTTP server will accept a malformed message and hand it over to the user. If the user application proxies this message to another server unchanged and that server also accepts that message but interprets it as two HTTP messages, the second message has reached the second server without having been inspected by the proxy.
Affected packages (1)
- Maven/com.typesafe.akka:akka-http-core>= 10.2.0, < 10.2.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23339
- WEBhttps://doc.akka.io/docs/akka-http/10.1/security/2021-02-24-incorrect-handling-of-Transfer-Encoding-header.html
- WEBhttps://github.com/akka/akka-http/commit/e3a4935151c91cee28e65e6b894dd50839ef9d34
- WEBhttps://github.com/akka/akka-http/pull/3754%23issuecomment-779265201
- WEBhttps://snyk.io/vuln/SNYK-JAVA-COMTYPESAFEAKKA-1075043