CVE-2025-46548: Apache Pekko Management, Apache Pekko Management, Apache Pekko Management: management API basic authentication is not effective

6.5 CVSS

Description

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied.

Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue.

Classification

CVE ID: CVE-2025-46548

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem Types

CWE-287 Improper Authentication

Affected Products

Vendor: Apache Software Foundation

Product: Apache Pekko Management

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 21.06% (scored less or equal to compared to others)

EPSS Date: 2025-06-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-46548
https://github.com/apache/pekko-management/pull/418
https://github.com/akka/akka-management/pull/1385
https://lists.apache.org/thread/tnd84hj9w0ggjcft6cp12q67d5jzhp66

Timeline

2025-06-03 15:40:20 UTC
CVE

Apache Pekko Management, Apache Pekko Management, Apache Pekko Management: management API basic authentication is not effective