CVE-2025-46548: Pekko Management may not properly apply authenticator when Basic Authentication enabled

The vulnerability, as described, occurs when Basic Authentication is enabled using the Java DSL in Akka Management or Pekko Management, leading to the authenticator not being properly applied. The analysis of the provided patches (akka-management commit be01cc74bbfc53dc476dd06d823da3b0dcb47857 and pekko-management commit e484ab1c598d8b51215a0825d8b37dd61ad3d0e0) reveals that the root cause was the incorrect use of the .optional directive in conjunction with authenticateBasicAsync specifically for the Java DSL authentication path within the wrapWithAuthenticatorIfPresent method in both AkkaManagement.scala and PekkoManagement.scala.

The .optional directive in Akka HTTP's routing DSL transforms an authentication directive from mandatory to optional. This means if the authentication process (in this case, the one defined via Java DSL) failed or did not yield an authenticated user, the request would still be passed to the protected route, effectively bypassing authentication. This matches the vulnerability description that the authenticator 'may not be properly applied'.

The fix involves refactoring the authentication logic to ensure that if an authenticator is configured (either via Scala or Java DSL), it is applied strictly without the .optional directive, thereby enforcing authentication. The wrapWithAuthenticatorIfPresent function in both Akka and Pekko is the precise location where this flawed logic existed and was subsequently corrected. Therefore, this function would appear in a runtime profile when the vulnerability is triggered, as it's the point where authentication is (improperly) handled.