CVE-2021-42697 Overview
CVE-2021-42697 is a Denial of Service (DoS) vulnerability affecting Akka HTTP, a popular HTTP library for building RESTful services in Scala and Java. The vulnerability exists in the HTTP header parsing functionality, where maliciously crafted User-Agent headers containing deeply nested comments can trigger stack exhaustion, causing the server to crash.
Akka HTTP versions 10.1.x before 10.1.15 and 10.2.x before 10.2.7 are susceptible to this attack. The flaw stems from recursive parsing of HTTP header comments, which lacks proper depth limits. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted HTTP requests to vulnerable servers, resulting in service disruption without requiring any user interaction or authentication.
Critical Impact
Remote attackers can crash Akka HTTP servers by sending a single malicious HTTP request with a deeply nested User-Agent header, causing complete service unavailability.
Affected Products
- Akka HTTP Server versions 10.1.x before 10.1.15
- Akka HTTP Server versions 10.2.x before 10.2.7
Discovery Timeline
- 2021-11-02 - CVE-2021-42697 published to NVD
- 2021-11-02 - Akka releases security patch version 10.2.7
- 2021-11-22 - Akka releases security patch version 10.1.15
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-42697
Vulnerability Analysis
This vulnerability is classified as CWE-674 (Uncontrolled Recursion), where the Akka HTTP header parsing implementation recursively processes nested comment structures without enforcing adequate recursion depth limits. When parsing HTTP headers such as User-Agent, the parser encounters parentheses which denote comments according to HTTP specifications. Each nested comment level triggers an additional stack frame during recursive processing.
The attack can be executed remotely over the network without requiring any privileges or user interaction. The impact is limited to availability, with no effect on confidentiality or integrity. The vulnerability has a high likelihood of exploitation, as indicated by its EPSS percentile placing it among the most likely to be exploited vulnerabilities.
Root Cause
The root cause lies in the recursive comment parsing logic within Akka HTTP's header parser. HTTP headers allow comments enclosed in parentheses, and these comments can be nested. The parser implementation uses recursive function calls to handle each nesting level without implementing a maximum depth check. When an attacker sends a User-Agent header with thousands of nested parentheses, the recursive calls consume stack space until the JVM stack is exhausted, throwing a StackOverflowError and crashing the server process.
Attack Vector
The attack is conducted over the network by sending an HTTP request containing a User-Agent header with deeply nested comment structures. Since HTTP headers are processed before any application logic, no authentication is required. A single malicious request is sufficient to crash the server.
The attacker crafts a User-Agent header with multiple levels of nested parentheses. For example, a header like User-Agent: Mozilla/5.0 ((((...thousands of nested parens...)))) would trigger recursive parsing. Each opening parenthesis causes the parser to recurse deeper, and with sufficient nesting depth (typically several thousand levels), the JVM stack is exhausted.
The attack has been publicly documented with a proof-of-concept available on Packet Storm, making exploitation straightforward for attackers.
Detection Methods for CVE-2021-42697
Indicators of Compromise
- HTTP requests containing User-Agent headers with abnormally long values or excessive parentheses
- Server crashes or restarts correlated with incoming HTTP traffic
- StackOverflowError exceptions in JVM application logs
- Sudden service unavailability without apparent infrastructure issues
Detection Strategies
- Monitor web server logs for User-Agent headers exceeding normal length thresholds (e.g., > 8KB)
- Implement regex-based detection for headers containing excessive nested parentheses patterns
- Configure application performance monitoring to alert on StackOverflowError occurrences
- Deploy Web Application Firewall (WAF) rules to block requests with malformed or suspiciously long headers
Monitoring Recommendations
- Set up alerting for JVM crashes with stack overflow patterns in application logs
- Monitor HTTP request header sizes at the load balancer or reverse proxy level
- Track server availability metrics and correlate downtime with traffic anomalies
- Implement logging of rejected or sanitized malformed HTTP headers
How to Mitigate CVE-2021-42697
Immediate Actions Required
- Upgrade Akka HTTP 10.2.x installations to version 10.2.7 or later
- Upgrade Akka HTTP 10.1.x installations to version 10.1.15 or later
- If immediate patching is not possible, deploy WAF rules to filter requests with excessively long User-Agent headers
- Consider implementing request header size limits at the reverse proxy or load balancer
Patch Information
Akka has released patched versions addressing this vulnerability. Users should upgrade to the following versions:
- Akka HTTP 10.2.x: Upgrade to version 10.2.7 or later - See the Akka HTTP 10.2.7 Release Announcement for details
- Akka HTTP 10.1.x: Upgrade to version 10.1.15 or later - See the Akka HTTP 10.1.15 Release Announcement for details
For complete technical details on the vulnerability and remediation, refer to the official Akka HTTP CVE-2021-42697 Documentation.
Workarounds
- Deploy a reverse proxy (e.g., Nginx, HAProxy) in front of Akka HTTP servers with header size limits
- Implement WAF rules to block requests containing User-Agent headers longer than 4096 bytes
- Configure network-level rate limiting to reduce the impact of DoS attempts
- Monitor and automatically restart crashed Akka HTTP instances while patching is in progress
# Example Nginx configuration to limit header sizes
# Add to http or server block
large_client_header_buffers 4 8k;
client_header_buffer_size 1k;
# Block requests with excessively long User-Agent headers
if ($http_user_agent ~* "^.{4096,}$") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
