Skip to content

v10.0.14
Compare
Choose a tag to compare
@jrudolph jrudolph released this 06 Sep 10:32
· 11 commits to release-10.0 since this release
v10.0.14
817d76e
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

10.0.14 is security patch release in the 10.0.x series of Akka HTTP.

It is mainly a mitigation for the DoS vulnerability when using decodeRequest

Migration Notes

To avoid excessive memory usage we introduced two new limits that apply per default:

  • akka.http.routing.decode-max-size: This limit applies when you use decodeRequest to limit the amount of decompressed data. The default limit is 8 megabytes.
  • akka.http.parsing.max-to-strict-bytes: This limit applies when you use HttpEntity.toStrict or the toStrictEntity directive (and related directives). It will only collect up to the given amount data and fail otherwise. The default limit is 8 megabytes.

Depending on your application requirements, you may want to change these settings.

Changes since 10.0.13

For a full overview you can also see the 10.0.14 milestone:

  • Restrict the maximum size of a request entity after uncompressing it with decodeRequest #2137
  • Restrict the maximum size of a request entity when reading it into memory with toStrict #2186
  • Support parameters for custom media types (#2005)
Assets 2
Loading