CVE-2025-46548

medium

Description

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.

References

https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66

https://github.com/apache/pekko-management/pull/418

https://github.com/akka/akka-management/pull/1385

http://www.openwall.com/lists/oss-security/2025/06/03/7

Details

Source: Mitre, NVD

Published: 2025-06-03

Updated: 2025-06-11

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00044