Appearance
MET-2025-003
Akka.Remote (CVE-2025-61778)
Skip to content
| Bulletin ID | MET-2025-003 |
|---|---|
| Date (published) | 2025-10-09T00:00:00.000Z |
| Date (last updated) | 2025-10-09T00:00:00.000Z |
| Severity | Informational |
Description
On Oct 6th, 2025, a vulnerability was published on Akka.Remote library where the library fails to validate TLS certificates. This allows attackers with network access to connect to Akka.Net cluster.
Affected Products/Services
Metaplay infrastructure and product are not affected by this vulnerability.
- MetaplaySDK Akka.NET cluster is running in a private network and is not using TLS certificates.
Impact
None.
Solution
The vulnerable Akka.Remote library can be updated to version 1.5.52 by applying the following patch. As the MetaplaySDK is not vulnerable, applying the patch is useful merely to silence any security scanner warnings.
MetaplaySDK/Backend/Cloud/Metaplay.Cloud.csproj
diff
- <PackageReference Include="Akka" Version="1.5.49" />
+ <PackageReference Include="Akka" Version="1.5.52" />
- <PackageReference Include="Akka.Remote" Version="1.5.49" />
+ <PackageReference Include="Akka.Remote" Version="1.5.52" />CVE and CVSS Information
References
Contact Information
Security-related questions or concerns can be sent to security@metaplay.io.
Revision History
| Date | Description |
|---|---|
| 2025-10-09 | Security Bulletin released |