CVE-2025-46548 | THREATINT

Description

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.

PUBLISHED Reserved 2025-04-24 | Published 2025-06-03 | Updated 2025-06-11 | Assigner apache

Problem types

CWE-287 Improper Authentication

Product status

Default status

unaffected

1.0.0 (maven) before 1.1.1

affected

Default status

unaffected

1.0.0 (maven) before 1.1.1

affected

Default status

unaffected

1.0.0 (maven) before 1.1.1

affected

Default status

unaffected

Any version before 1.6.1

affected

Default status

unaffected

Any version before 1.6.1

affected

Default status

unaffected

Any version before 1.6.1

affected

Credits

Per-Ivar Bakke of GE Vernova finder

References

www.openwall.com/lists/oss-security/2025/06/03/7

github.com/apache/pekko-management/pull/418 patch

github.com/akka/akka-management/pull/1385 related

lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66 vendor-advisory

cve.org (CVE-2025-46548)

nvd.nist.gov (CVE-2025-46548)

Download JSON

help @ threatint.eu