CVE-2025-46548
Pekko Management may not properly apply authenticator when Basic Authentication is enabled
6.5
MEDIUM
CVSS 3.1
EPSS 1.7%
Description
If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.
How to fix CVE-2025-46548
To remediate CVE-2025-46548, upgrade the affected package to a fixed version below.
- —upgrade to 1.6.1 or later
- —upgrade to 1.6.1 or later
- —upgrade to 1.6.1 or later
- —upgrade to 1.1.1 or later
- —upgrade to 1.1.1 or later
- —upgrade to 1.1.1 or later
Is CVE-2025-46548 being exploited?
Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 1.6.1
- from 0, < 1.6.1
- from 0, < 1.6.1
- from 0, < 1.1.1
- from 0, < 1.1.1
- from 0, < 1.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |