CVE-2025-46548
Last modified
CVE-2025-46548 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.. EPSS estimates a 0.66% chance of exploitation in the next 30 days.
Description
If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Pekko Management | >= 1.0.0, <= 1.1.1 |
| Akka | Akka Management | < 1.6.1 |
References
- https://github.com/akka/akka-management/pull/1385Exploit, Issue Tracking
- https://github.com/apache/pekko-management/pull/418Issue Tracking, Patch
- https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66Mailing List, Vendor Advisory
- http://www.openwall.com/lists/oss-security/2025/06/03/7Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-46548?
How severe is CVE-2025-46548?
How do I fix CVE-2025-46548?
Are you affected by CVE-2025-46548?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST