CVE-2021-23339

Name of the Vulnerable Software and Affected Versions com.typesafe.akka:akka-http-core versions prior to 10.1.14 com.typesafe.akka:akka-http-core versions 10.2.0 through 10.2.4

Description The issue allows multiple Transfer-Encoding headers, which can lead to a malformed message being accepted by a vulnerable Akka HTTP server. If this message is proxied to another server without inspection, it may be interpreted as two HTTP messages, potentially bypassing security checks.

Recommendations For versions prior to 10.1.14, update to version 10.1.14 or later. For versions 10.2.0 through 10.2.4, update to a version later than 10.2.4. As a temporary workaround, consider restricting the acceptance of multiple Transfer-Encoding headers in the Akka HTTP server configuration until a patch is available.