CVE-2025-46548

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.

CVSS

No CVSS.

References

Link	Resource
http://www.openwall.com/lists/oss-security/2025/06/03/7	Mailing List Third Party Advisory
https://github.com/akka/akka-management/pull/1385	Exploit Issue Tracking
https://github.com/apache/pekko-management/pull/418	Issue Tracking Patch
https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:pekko_management:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:akka:akka_management:*:*:*:*:*:*:*:*

History

02 Jul 2025, 14:19

Type	Values Removed	Values Added
References	~~() https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66 -~~	() https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66 - Mailing List, Vendor Advisory
References	~~() http://www.openwall.com/lists/oss-security/2025/06/03/7 -~~	() http://www.openwall.com/lists/oss-security/2025/06/03/7 - Mailing List, Third Party Advisory
References	~~() https://github.com/akka/akka-management/pull/1385 -~~	() https://github.com/akka/akka-management/pull/1385 - Exploit, Issue Tracking
References	~~() https://github.com/apache/pekko-management/pull/418 -~~	() https://github.com/apache/pekko-management/pull/418 - Issue Tracking, Patch
First Time		Akka akka Management Apache pekko Management Akka Apache
CPE		cpe:2.3:a:akka:akka_management:::::::: cpe:2.3:a:apache:pekko_management::::::::

11 Jun 2025, 16:15

Type	Values Removed	Values Added
Summary	If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.	If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.

03 Jun 2025, 18:15

Type	Values Removed	Values Added
CWE	~~CWE-287~~
References		() http://www.openwall.com/lists/oss-security/2025/06/03/7 -

03 Jun 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-03 15:15

Updated : 2025-07-02 14:19

NVD link : CVE-2025-46548

Mitre link : CVE-2025-46548

JSON object : View

Products Affected

akka

akka_management

apache

pekko_management

CWE

No CWE.

JSON object

Attach tags to CVE-2025-46548

Attach tags to `CVE-2025-46548`