CVE-2025-53393: 
Java vulnerability analysis and mitigation

In Akka through version 2.10.6, a vulnerability was identified where akka-cluster-metrics uses Java serialization for cluster metrics. The vulnerability was discovered and disclosed on June 28, 2025, and has been assigned CVE-2025-53393. This issue affects the Akka framework's cluster metrics component (NVD, CVE).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 Base Score of 6.0 (MEDIUM). The vector string is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L, indicating that the vulnerability is network accessible, requires high attack complexity, low privileges, no user interaction, and has a scope that can change with low impacts to confidentiality, integrity, and availability (NVD).

The vulnerability potentially affects cluster metrics functionality in Akka deployments, particularly concerning the serialization of data types like BigDecimal and BigInteger. During rolling updates, this could result in serialization errors, though these issues should resolve once the rollout is completed (Github PR).

A fix has been implemented through a pull request that removes Java serialization for cluster metrics. The issue has been addressed in the development branch and is scheduled for release in version 2.10.7 (Github PR).