CVE-2021-42697

Name: CVE-2021-42697
Creator: NVD / NIST
Published: 2021-11-02T22:15:08.957+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 36.14%

Last modified Jun 17, 2026

CVE-2021-42697 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.. EPSS estimates a 36.14% chance of exploitation in the next 30 days.

Description

Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

36.14%

98.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-674

Affected Software

Vendor	Product	Versions
Akka	Http Server	>= 10.1.0, < 10.1.15
Akka	Http Server	>= 10.2.0, < 10.2.7

References

http://packetstormsecurity.com/files/167018/Akka-HTTP-10.1.14-Denial-Of-Service.htmlExploit, Third Party Advisory, VDB Entry
https://akka.io/blog/Vendor Advisory
https://akka.io/blog/news/2021/11/02/akka-http-10.2.7-releasedRelease Notes, Vendor Advisory
https://akka.io/blog/news/2021/11/22/akka-http-10.1.15-releasedRelease Notes, Vendor Advisory
https://doc.akka.io/docs/akka-http/current/security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.htmlVendor Advisory
http://packetstormsecurity.com/files/167018/Akka-HTTP-10.1.14-Denial-Of-Service.htmlExploit, Third Party Advisory, VDB Entry
https://akka.io/blog/Vendor Advisory
https://akka.io/blog/news/2021/11/02/akka-http-10.2.7-releasedRelease Notes, Vendor Advisory
https://akka.io/blog/news/2021/11/22/akka-http-10.1.15-releasedRelease Notes, Vendor Advisory
https://doc.akka.io/docs/akka-http/current/security/2021-CVE-2021-42697-stack-overflow-parsing-user-agent.htmlVendor Advisory

Timeline

Published: Nov 2, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-42697?

How severe is CVE-2021-42697?

CVE-2021-42697 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 36.14% probability of exploitation in the next 30 days.

How do I fix CVE-2021-42697?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-42697?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST