CVE-2018-16131
Description
Akka HTTP's decodeRequest directives do not limit decompressed data, allowing remote attackers to cause denial of service via a ZIP bomb.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Akka HTTP's decodeRequest directives do not limit decompressed data, allowing remote attackers to cause denial of service via a ZIP bomb.
Vulnerability
The decodeRequest and decodeRequestWith directives in Lightbend Akka HTTP versions 10.1.x prior to 10.1.5 and 10.0.x prior to 10.0.14 (including 10.1.0-10.1.4 and 10.0.0-10.0.13) do not limit the amount of uncompressed data when handling compressed request bodies [1][4]. This allows an attacker to send a small compressed payload that expands to a large amount of data (a ZIP bomb), leading to excessive memory consumption [2].
Exploitation
An attacker can exploit this vulnerability remotely without authentication or user interaction [4]. The attacker sends an HTTP request with a compressed body (e.g., gzip or deflate) that is highly compressed, such as a ZIP bomb. When the server processes the request using decodeRequest or decodeRequestWith directives (commonly used with entity(as), toStrict, or formField), the server decompresses the data without size limits, causing memory exhaustion [1][4].
Impact
Successful exploitation results in a denial of service (DoS) due to memory consumption, potentially causing the Akka HTTP daemon to crash [2]. The CVSS score is 7.3 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [4]. Availability is highly affected, while confidentiality and integrity are not impacted.
Mitigation
The vulnerability is fixed in Akka HTTP versions 10.1.5 and 10.0.14, released on 2018-09-05 [1][4]. Users should upgrade to these versions or later. Play and Lagom applications are not affected because they implement their own content length validations [4]. No workaround is provided for affected versions; upgrading is the recommended mitigation.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.typesafe.akka:akka-http-core_2.12Maven | >= 10.1.0, < 10.1.4 | 10.1.4 |
com.typesafe.akka:akka-http-core_2.11Maven | >= 10.1.0, < 10.1.4 | 10.1.4 |
Affected products
2- ghsa-coords2 versions
>= 10.1.0, < 10.1.4+ 1 more
- (no CPE)range: >= 10.1.0, < 10.1.4
- (no CPE)range: >= 10.1.0, < 10.1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-9qgc-p27w-3hjgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-16131ghsaADVISORY
- akka.io/blog/news/2018/08/30/akka-http-dos-vulnerability-foundghsax_refsource_MISCWEB
- doc.akka.io/docs/akka-http/current/security/2018-09-05-denial-of-service-via-decodeRequest.htmlghsax_refsource_CONFIRMWEB
- github.com/akka/akka-http/issues/2137ghsax_refsource_MISCWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.