VYPR
← All advisories
High severityNVD Advisory· Published Nov 2, 2021· Updated Aug 4, 2024

CVE-2021-42697

CVE-2021-42697

Description

Akka HTTP versions before 10.1.15 and 10.2.7 are vulnerable to denial of service via stack exhaustion from deeply nested User-Agent header comments.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Akka HTTP versions before 10.1.15 and 10.2.7 are vulnerable to denial of service via stack exhaustion from deeply nested User-Agent header comments.

Vulnerability

Akka HTTP versions 10.1.x before 10.1.15 and 10.2.x before 10.2.7 suffer from a stack exhaustion vulnerability during HTTP header parsing [4]. A remote attacker can trigger this by sending a specially crafted User-Agent header containing deeply nested comments, causing the parser to consume excessive stack space [4].

Exploitation

An attacker can exploit this vulnerability without authentication or any special network position, as the HTTP server will parse the header upon receiving the request. The attacker simply sends an HTTP request with a User-Agent header that has deeply nested comments (e.g., multiple levels of parentheses). No user interaction is required [4].

Impact

Successful exploitation leads to a denial of service (DoS) condition due to stack exhaustion, crashing the Akka HTTP server process. This can result in service unavailability for legitimate users [4].

Mitigation

The vulnerability is fixed in Akka HTTP versions 10.1.15 [3] and 10.2.7 [1]. Users should upgrade to these versions or later. No workarounds are documented. There is no known exploitation in the wild (unconfirmed, but not mentioned). Not listed on CISA KEV as of now.

References
  1. Blog
  2. Blog
  3. NVD - CVE-2021-42697

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.typesafe.akka:akka-http-core_2.13.0-RC3Maven
>= 10.1.0
com.typesafe.akka:akka-http-core_2.13.0-RC2Maven
>= 10.1.0
com.typesafe.akka:akka-http-core_2.13.0-M5Maven
>= 10.1.0
com.typesafe.akka:aakka-http-core_2.13.0-M3Maven
>= 10.1.0
com.typesafe.akka:akka-http-core_2.13Maven
>= 10.1.0, < 10.1.1510.1.15
com.typesafe.akka:akka-http-core_2.13Maven
>= 10.2.0-M1, < 10.2.710.2.7
com.typesafe.akka:akka-http-core_2.12Maven
>= 10.1.0, < 10.1.1510.1.15
com.typesafe.akka:akka-http-core_2.12Maven
>= 10.2.0-M1, < 10.2.710.2.7
com.typesafe.akka:akka-http-core_2.11Maven
>= 10.1.0, < 10.1.1510.1.15

Affected products

8

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

9

News mentions

0

No linked articles in our index yet.