Vulnerability Description
If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Pekko Management | >= 1.0.0, <= 1.1.1 |
| Akka | Akka Management | < 1.6.1 |
Related Weaknesses (CWE)
References
- https://github.com/akka/akka-management/pull/1385ExploitIssue Tracking
- https://github.com/apache/pekko-management/pull/418Issue TrackingPatch
- https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2025/06/03/7Mailing ListThird Party Advisory
FAQ
What is CVE-2025-46548?
CVE-2025-46548 is a vulnerability with a CVSS score of 6.5 (MEDIUM). If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ...
How severe is CVE-2025-46548?
CVE-2025-46548 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-46548?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Pekko Management, Akka Akka Management.