CVE-2025-46548: Pekko Management may not properly apply authenticator when Basic Authentication enabled

June 3, 2025 (updated June 6, 2025)

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.

Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.

References

github.com/advisories/GHSA-9qvj-rpj8-v5c8
github.com/akka/akka-management/pull/1385
github.com/apache/pekko-management/pull/418
lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66
nvd.nist.gov/vuln/detail/CVE-2025-46548

Code Behaviors & Features

Detect and mitigate CVE-2025-46548 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →