Akamai has fixed a vulnerability in its edge servers that could have allowed HTTP Request Smuggling attacks.
The issue was entirely resolved on November 17, 2025, and the company says no action is needed from customers. The flaw is now tracked as CVE-2025-66373.
| Field | Detail |
|---|---|
| CVE ID | CVE-2025-66373 |
| Vendor | Akamai |
| Component | Akamai edge servers |
| Vulnerability Type | HTTP Request Smuggling |
The bug was linked to how Akamai edge servers handled HTTP requests that used chunked transfer encoding.
This is a feature of HTTP 1.1 in which the body of a message is sent in “chunks” rather than a single continuous block.
Each chunk starts with a chunk size, followed by the exact amount of data promised by that size.
In this case, Akamai’s edge servers did not always handle invalid chunked bodies correctly.
Suppose a request included a chunk size that did not match the actual size of the data that followed; in some cases, the edge server could still forward the request to the origin server.
It would also forward extra bytes that did not belong to a valid chunk. An attacker could hide a second, smuggled HTTP request inside those extra bytes.
This hidden request might then be processed by the origin server as if it were a standard request coming from Akamai.
That scenario is known as HTTP Request Smuggling. It can lead to serious problems, such as bypassing security controls, poisoning caches, or hijacking user sessions.
However, whether this flaw was actually exploitable in the real world depended on how the origin server handled the invalid request.
If the origin server rejected or safely ignored malformed data, the risk would be much lower. As a result, the impact could vary across different customer setups.
Akamai became aware of the issue on September 18, 2025, after a report through its Bug Bounty Program.
The company investigated and developed a fix, which was fully rolled out to all Akamai services on November 17, 2025.
With that deployment, the vulnerable behavior was removed entirely from the platform.
Akamai states that customers do not need to change their configurations or apply any patches on their side. All mitigation has been handled within Akamai’s own infrastructure.
The vulnerability has been disclosed under a dedicated CVE entry, and Akamai has published details to maintain transparency with customers and the security community.
Akamai has given special thanks to security researcher “Jinone (@jinonehk)” for reporting the issue and working with the company during the investigation, helping to make the internet more secure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.