Akamai patches critical HTTP request smuggling flaw in Edge Server infrastructure
Take action: You can't do anything about this advisory. It's already fixed. But keep a record of it if you are using Akamai for vendor evaluation.
Learn More
Akamai patched a critical HTTP Request Smuggling vulnerability affecting its global edge server infrastructure potentially exposing Akamai customers to attacks that could bypass security controls, impersonate users, poison caches, or deliver unauthorized requests to backend applications.
The flaw is tracked as CVE-2025-66373 (CVSS score 9.8) and is caused by incorrect processing of HTTP/1.1 requests containing malformed chunked transfer encoding. In a properly implemented system, each chunk begins with a hexadecimal size declaration, followed by exactly that many bytes of data, with a terminating zero-length chunk marking the end. The flaw occurred when Akamai edge servers received requests with invalid chunked bodies where the declared chunk size did not match the actual data size. Instead ofrejecting these malformed requests, the edge servers would, under certain circumstances, forward both the invalid request and superfluous bytes to the origin server, creating an exploitable desynchronization between the edge and origin infrastructure.
This desynchronization created opportunities for classic HTTP Request Smuggling scenarios. An attacker could craft a seemingly innocuous or malformed front-end request where the visible portion appeared harmless, but the extra superfluous bytes contained a second, hidden HTTP request. If the origin server parsed the forwarded data stream differently from Akamai's edge servers, it might interpret those hidden bytes as a separate, legitimate request.
This could enable attackers to bypass security controls implemented at the edge, impersonate other users through session hijacking, poison intermediate caches with malicious content, or execute unauthorized requests against internal applications. The practical exploitability of the vulnerability depended entirely on the specific origin server's behavior and its handling of malformed chunked bodies and trailing data.
Akamai first became aware of the security issue on September 18, 2025, following a report from security researcher Jinone (@jinonehk) through the company's Bug Bounty Program.
Akamai deployed a global fix on November 17, 2025, removing the vulnerable behavior from all services.
