CVE-2021-23339: HTTP Request Smuggling in akka-http-core
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.43802%
CWE
Published
5/10/2021
Updated
2/21/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.typesafe.akka:akka-http-core | maven | >= 10.2.0, < 10.2.4 | 10.2.4 |
com.typesafe.akka:akka-http-core | maven | < 10.1.14 | 10.1.14 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper validation of Transfer-Encoding headers. The commit diff shows:
- HttpMessageParser's header processing was modified to reject multiple T-E headers and non-chunked encodings
- Both request/response parsers switched from tracking Transfer-Encoding headers to a simple 'isChunked' boolean
- Added validation failures for CL+T-E header combinations These changes indicate the original functions:
- Allowed multiple T-E headers via 'teh append' logic
- Failed to properly handle CL+T-E conflicts
- Accepted non-chunked encodings This matches the CWE-444 description of inconsistent HTTP message interpretation between proxy and backend servers.