N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-61778

GHSA ID

GHSA-jhpv-4q4f-43g5

EPSS Score

0.13293%

CWE

CWE-290

Published

10/7/2025

Updated

10/7/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61778

CVE-2025-61778: Akka.Remote TLS did not properly implement certificate-based authentication

Impact

This is a critical network security vulnerability for Akka.Remote users who have SSL / TLS enabled on their Akka.Remote connections and were expecting certificate-based authentication to be enforced on all peers attempting to join the network.

In all versions of Akka.Remote from v1.2.0 to v1.5.51, TLS could be enabled via our akka.remote.dot-netty.tcp transport and this would correctly enforce private key validation on the server-side of inbound connections. Akka.Remote, however, never asked the outbound-connecting client to present ITS certificate - therefore it's possible for untrusted parties to connect to a private key'd Akka.NET cluster and begin communicating with it without any certificate.

The issue here is that for certificate-based authentication to work properly, ensuring that all members of the Akka.Remote network are secured with the same private key, Akka.Remote needed to implement mutual TLS. This was not the case before Akka.NET v1.5.52.

If you are running Akka.NET inside a private network you fully control or you were never using TLS in the first place, then this bug has no impact on you. However: if you are using TLS to secure your network YOU MUST upgrade to Akka.NET V1.5.52 or later.

Patches

https://github.com/akkadotnet/akka.net/pull/7847 - forces "fail fast" semantics if TLS is enabled but the private key is missing or invalid. Previous versions would only check that once connection attempts occurred. https://github.com/akkadotnet/akka.net/pull/7851 - critical fix: enforces mutual TLS (mTLS) by default, so both parties must be keyed using the same certificate. This fulfills the original security

These updates have been shipped into Akka.NET v1.5.52: https://github.com/akkadotnet/akka.net/releases/tag/1.5.52

Workarounds

If your application isn't exposed publicly, then CVE-2025-61778 has no practical impact on your application. That being said: upgrading to Akka.NET v1.5.52 or later is a good idea.

References

Please view our latest network security documentation here: https://getakka.net/articles/remoting/security.html

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-61778

GHSA ID

GHSA-jhpv-4q4f-43g5

EPSS Score

0.13293%

CWE

CWE-290

Published

10/7/2025

Updated

10/7/2025

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Akka.Remote	nuget	>= 1.2.0, < 1.5.52	1.5.52
Akka.Cluster	nuget	>= 1.2.0, < 1.5.52	1.5.52

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, CVE-2025-61778, is a critical authentication bypass in Akka.Remote's TLS implementation. The root cause is the failure to enforce mutual TLS (mTLS), where both the client and server must authenticate each other using certificates.

My analysis of the patches shows two main issues were addressed:

Lack of Mutual Authentication: The primary vulnerability was that the server-side TLS pipeline, configured in Akka.Remote.Transport.DotNetty.DotNettyTransport.SetServerPipeline, did not require connecting clients to present a certificate. Simultaneously, the client-side pipeline, configured in Akka.Remote.Transport.DotNetty.DotNettyTransport.SetClientPipeline, was not set up to offer a client certificate. This allowed any unauthenticated client to connect to a TLS-enabled Akka.NET cluster, completely bypassing the intended certificate-based security.
No Fail-Fast on Misconfiguration: A related security weakness was found in the Akka.Remote.Transport.DotNetty.DotNettyTransport.Listen method. The system would start up without verifying if the server certificate's private key was actually accessible. This could lead an administrator to believe the system was secure, when in fact it was either non-functional or improperly secured. The patch introduced the Akka.Remote.Transport.DotNetty.SslSettings.ValidateCertificate method to perform this check at startup.

The identified vulnerable functions are the exact locations where these flawed logic patterns existed. During an exploit, an attacker's malicious client would connect to a vulnerable server, and the SetServerPipeline function on the server would be instrumental in incorrectly establishing the unauthenticated connection.

Vulnerable functions

Akka.Remote.Transport.DotNetty.DotNettyTransport.SetServerPipeline

src/core/Akka.Remote/Transport/DotNetty/DotNettyTransport.cs

This function sets up the server-side network pipeline. The original implementation configured the TLS handler to only perform server-side authentication, without requiring or validating a certificate from the connecting client. This allowed any client, even one without a valid certificate, to establish a TLS connection, bypassing certificate-based authentication. The vulnerability is the failure to enforce mutual TLS (mTLS).

Akka.Remote.Transport.DotNetty.DotNettyTransport.SetClientPipeline

src/core/Akka.Remote/Transport/DotNetty/DotNettyTransport.cs

This function sets up the client-side network pipeline. The original implementation did not configure the client to present its own certificate to the server during the TLS handshake. This is the client-side counterpart to the server's failure to require a certificate. While the primary flaw is the server's lack of enforcement, this function is part of the vulnerable workflow, as it demonstrates the lack of mutual authentication from the client's perspective.

Akka.Remote.Transport.DotNetty.DotNettyTransport.Listen

src/core/Akka.Remote/Transport/DotNetty/DotNettyTransport.cs

This function starts the server-side transport listener. Prior to the patch, it did not validate whether the configured SSL certificate's private key was accessible at startup. This allowed a server to start and appear healthy even with a misconfigured or inaccessible certificate, creating a false sense of security. The actual connection would fail at runtime during the TLS handshake. The vulnerability was the lack of fail-fast validation, which was fixed by adding a call to `Settings.Ssl.ValidateCertificate()` at the beginning of the function.

Akka.Remote.Transport.DotNetty.SslSettings.ValidateCertificate

src/core/Akka.Remote/Transport/DotNetty/DotNettyTransportSettings.cs

This function was added to fix a vulnerability where the server would start without a valid private key. The original code in the SslSettings constructors did not properly validate private key access. The absence of this validation logic is the vulnerability. This function, added by the patch, now performs the necessary checks on the certificate's private key (both RSA and ECDSA) to ensure it is accessible, preventing the server from starting in an insecure or non-functional state.

WAF Protection Rules

WAF Rule

### Imp**t T*is is * *riti**l n*twork s**urity vuln*r**ility *or *kk*.R*mot* **us*rs w*o **v* SSL / TLS *n**l**** on t**ir *kk*.R*mot* *onn**tions *n* w*r* *xp**tin* **rti*i**t*-**s** *ut**nti**tion to ** *n*or*** on *ll p**rs *tt*mptin* to join t**

Reasoning

T** vuln*r**ility, *V*-****-*****, is * *riti**l *ut**nti**tion *yp*ss in *kk*.R*mot*'s TLS impl*m*nt*tion. T** root **us* is t** **ilur* to *n*or** mutu*l TLS (mTLS), w**r* *ot* t** *li*nt *n* s*rv*r must *ut**nti**t* **** ot**r usin* **rti*i**t*s.

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-61778: Akka.Remote TLS did not properly implement certificate-based authentication

Impact

Patches

Workarounds

References

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI