CVE-2025-61778

Name of the Vulnerable Software and Affected Versions Akka.NET versions 1.2.0 through 1.5.51

Description Akka.NET, a .NET port of the Akka project, has an issue where the Akka.Remote component did not implement mutual TLS (mTLS) in versions 1.2.0 through 1.5.51. When TLS was enabled via the akka.remote.dot-netty.tcp transport, the server correctly validated private keys for inbound connections, but it did not require clients to present their certificates. This allowed untrusted parties to connect to a cluster secured with a private key and begin communicating without authentication. The issue was addressed by enforcing mTLS by default, requiring both parties to be keyed using the same certificate. A patch was also implemented to enforce "fail fast" semantics if TLS is enabled but the private key is missing or invalid. The vulnerability affects those running Akka.NET inside a private network or those who were not using TLS.

Recommendations Upgrade to Akka.NET version 1.5.52 or later. As a workaround, avoid exposing the application publicly.