Aaronontheweb

**Name of the Vulnerable Software and Affected Versions** Akka.NET versions 1.2.0 through 1.5.51 **Description** Akka.NET, a .NET port of the Akka project, has an issue where the Akka.Remote component did not implement mutual TLS (mTLS) in versions 1.2.0 through 1.5.51. When TLS was enabled via the `akka.remote.dot-netty.tcp` transport, the server correctly validated private keys for inbound connections, but it did not require clients to present their certificates. This allowed untrusted parties to connect to a cluster secured with a private key and begin communicating without authentication. The issue was addressed by enforcing mTLS by default, requiring both parties to be keyed using the same certificate. A patch was also implemented to enforce "fail fast" semantics if TLS is enabled but the private key is missing or invalid. The vulnerability affects those running Akka.NET inside a private network or those who were not using TLS. **Recommendations** Upgrade to Akka.NET version 1.5.52 or later. As a workaround, avoid exposing the application publicly.