Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by akkadotnet
CVE-2025-61778 (GCVE-0-2025-61778)
Vulnerability from cvelistv5 – Published: 2025-10-06 16:53 – Updated: 2025-10-06 17:05
VLAI
Title
Akka.Remote TLS did not properly implement certificate-based authentication
Summary
Akka.NET is a .NET port of the Akka project from the Scala / Java community. In all versions of Akka.Remote from v1.2.0 to v1.5.51, TLS could be enabled via our `akka.remote.dot-netty.tcp` transport and this would correctly enforce private key validation on the server-side of inbound connections. Akka.Remote, however, never asked the outbound-connecting client to present ITS certificate - therefore it's possible for untrusted parties to connect to a private key'd Akka.NET cluster and begin communicating with it without any certificate. The issue here is that for certificate-based authentication to work properly, ensuring that all members of the Akka.Remote network are secured with the same private key, Akka.Remote needed to implement mutual TLS. This was not the case before Akka.NET v1.5.52. Those who run Akka.NET inside a private network that they fully control or who were never using TLS in the first place are now affected by the bug. However, those who use TLS to secure their networks must upgrade to Akka.NET V1.5.52 or later. One patch forces "fail fast" semantics if TLS is enabled but the private key is missing or invalid. Previous versions would only check that once connection attempts occurred. The second patch, a critical fix, enforces mutual TLS (mTLS) by default, so both parties must be keyed using the same certificate. As a workaround, avoid exposing the application publicly to avoid the vulnerability having a practical impact on one's application. However, upgrading to version 1.5.52 is still recommended by the maintainers.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/akkadotnet/akka.net/security/a… | x_refsource_CONFIRM |
| https://github.com/akkadotnet/akka.net/pull/7847 | x_refsource_MISC |
| https://github.com/akkadotnet/akka.net/pull/7851 | x_refsource_MISC |
| https://getakka.net/articles/remoting/security.html | x_refsource_MISC |
| https://github.com/akkadotnet/akka.net/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| akkadotnet | akka.net |
Affected:
>= 1.2.0, < 1.5.52
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T17:05:20.929457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T17:05:33.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "akka.net",
"vendor": "akkadotnet",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.5.52"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Akka.NET is a .NET port of the Akka project from the Scala / Java community. In all versions of Akka.Remote from v1.2.0 to v1.5.51, TLS could be enabled via our `akka.remote.dot-netty.tcp` transport and this would correctly enforce private key validation on the server-side of inbound connections. Akka.Remote, however, never asked the outbound-connecting client to present ITS certificate - therefore it\u0027s possible for untrusted parties to connect to a private key\u0027d Akka.NET cluster and begin communicating with it without any certificate. The issue here is that for certificate-based authentication to work properly, ensuring that all members of the Akka.Remote network are secured with the same private key, Akka.Remote needed to implement mutual TLS. This was not the case before Akka.NET v1.5.52. Those who run Akka.NET inside a private network that they fully control or who were never using TLS in the first place are now affected by the bug. However, those who use TLS to secure their networks must upgrade to Akka.NET V1.5.52 or later. One patch forces \"fail fast\" semantics if TLS is enabled but the private key is missing or invalid. Previous versions would only check that once connection attempts occurred. The second patch, a critical fix, enforces mutual TLS (mTLS) by default, so both parties must be keyed using the same certificate. As a workaround, avoid exposing the application publicly to avoid the vulnerability having a practical impact on one\u0027s application. However, upgrading to version 1.5.52 is still recommended by the maintainers."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T16:53:41.707Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/akkadotnet/akka.net/security/advisories/GHSA-jhpv-4q4f-43g5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/akkadotnet/akka.net/security/advisories/GHSA-jhpv-4q4f-43g5"
},
{
"name": "https://github.com/akkadotnet/akka.net/pull/7847",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/akkadotnet/akka.net/pull/7847"
},
{
"name": "https://github.com/akkadotnet/akka.net/pull/7851",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/akkadotnet/akka.net/pull/7851"
},
{
"name": "https://getakka.net/articles/remoting/security.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://getakka.net/articles/remoting/security.html"
},
{
"name": "https://github.com/akkadotnet/akka.net/releases/tag/1.5.52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/akkadotnet/akka.net/releases/tag/1.5.52"
}
],
"source": {
"advisory": "GHSA-jhpv-4q4f-43g5",
"discovery": "UNKNOWN"
},
"title": "Akka.Remote TLS did not properly implement certificate-based authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61778",
"datePublished": "2025-10-06T16:53:41.707Z",
"dateReserved": "2025-09-30T19:43:49.901Z",
"dateUpdated": "2025-10-06T17:05:33.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61778 (GCVE-0-2025-61778)
Vulnerability from nvd – Published: 2025-10-06 16:53 – Updated: 2025-10-06 17:05
VLAI
Title
Akka.Remote TLS did not properly implement certificate-based authentication
Summary
Akka.NET is a .NET port of the Akka project from the Scala / Java community. In all versions of Akka.Remote from v1.2.0 to v1.5.51, TLS could be enabled via our `akka.remote.dot-netty.tcp` transport and this would correctly enforce private key validation on the server-side of inbound connections. Akka.Remote, however, never asked the outbound-connecting client to present ITS certificate - therefore it's possible for untrusted parties to connect to a private key'd Akka.NET cluster and begin communicating with it without any certificate. The issue here is that for certificate-based authentication to work properly, ensuring that all members of the Akka.Remote network are secured with the same private key, Akka.Remote needed to implement mutual TLS. This was not the case before Akka.NET v1.5.52. Those who run Akka.NET inside a private network that they fully control or who were never using TLS in the first place are now affected by the bug. However, those who use TLS to secure their networks must upgrade to Akka.NET V1.5.52 or later. One patch forces "fail fast" semantics if TLS is enabled but the private key is missing or invalid. Previous versions would only check that once connection attempts occurred. The second patch, a critical fix, enforces mutual TLS (mTLS) by default, so both parties must be keyed using the same certificate. As a workaround, avoid exposing the application publicly to avoid the vulnerability having a practical impact on one's application. However, upgrading to version 1.5.52 is still recommended by the maintainers.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/akkadotnet/akka.net/security/a… | x_refsource_CONFIRM |
| https://github.com/akkadotnet/akka.net/pull/7847 | x_refsource_MISC |
| https://github.com/akkadotnet/akka.net/pull/7851 | x_refsource_MISC |
| https://getakka.net/articles/remoting/security.html | x_refsource_MISC |
| https://github.com/akkadotnet/akka.net/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| akkadotnet | akka.net |
Affected:
>= 1.2.0, < 1.5.52
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61778",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-06T17:05:20.929457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T17:05:33.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "akka.net",
"vendor": "akkadotnet",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.5.52"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Akka.NET is a .NET port of the Akka project from the Scala / Java community. In all versions of Akka.Remote from v1.2.0 to v1.5.51, TLS could be enabled via our `akka.remote.dot-netty.tcp` transport and this would correctly enforce private key validation on the server-side of inbound connections. Akka.Remote, however, never asked the outbound-connecting client to present ITS certificate - therefore it\u0027s possible for untrusted parties to connect to a private key\u0027d Akka.NET cluster and begin communicating with it without any certificate. The issue here is that for certificate-based authentication to work properly, ensuring that all members of the Akka.Remote network are secured with the same private key, Akka.Remote needed to implement mutual TLS. This was not the case before Akka.NET v1.5.52. Those who run Akka.NET inside a private network that they fully control or who were never using TLS in the first place are now affected by the bug. However, those who use TLS to secure their networks must upgrade to Akka.NET V1.5.52 or later. One patch forces \"fail fast\" semantics if TLS is enabled but the private key is missing or invalid. Previous versions would only check that once connection attempts occurred. The second patch, a critical fix, enforces mutual TLS (mTLS) by default, so both parties must be keyed using the same certificate. As a workaround, avoid exposing the application publicly to avoid the vulnerability having a practical impact on one\u0027s application. However, upgrading to version 1.5.52 is still recommended by the maintainers."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-06T16:53:41.707Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/akkadotnet/akka.net/security/advisories/GHSA-jhpv-4q4f-43g5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/akkadotnet/akka.net/security/advisories/GHSA-jhpv-4q4f-43g5"
},
{
"name": "https://github.com/akkadotnet/akka.net/pull/7847",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/akkadotnet/akka.net/pull/7847"
},
{
"name": "https://github.com/akkadotnet/akka.net/pull/7851",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/akkadotnet/akka.net/pull/7851"
},
{
"name": "https://getakka.net/articles/remoting/security.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://getakka.net/articles/remoting/security.html"
},
{
"name": "https://github.com/akkadotnet/akka.net/releases/tag/1.5.52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/akkadotnet/akka.net/releases/tag/1.5.52"
}
],
"source": {
"advisory": "GHSA-jhpv-4q4f-43g5",
"discovery": "UNKNOWN"
},
"title": "Akka.Remote TLS did not properly implement certificate-based authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61778",
"datePublished": "2025-10-06T16:53:41.707Z",
"dateReserved": "2025-09-30T19:43:49.901Z",
"dateUpdated": "2025-10-06T17:05:33.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}