Akamai Ghost Platform Flaw Allows Hidden Second Request Injection
Akamai Technologies disclosed a critical HTTP request smuggling vulnerability affecting its content delivery network platform that could allow attackers to inject hidden secondary requests through a sophisticated exploitation technique.
The vulnerability, designated CVE-2025-32094, was discovered through the company’s bug bounty program and has been resolved across all customer deployments without evidence of successful exploitation in the wild.
Vulnerability Details and Attack Vector
The security flaw stems from a complex interaction between multiple processing defects within Akamai’s edge server infrastructure.
Specifically, the vulnerability manifests when clients send HTTP/1.x OPTIONS requests containing an “Expect: 100-continue” header utilizing obsolete line folding techniques.
This combination creates a dangerous parsing discrepancy between different Akamai servers in the traffic processing chain. The attack exploits two distinct implementation defects working in tandem.
First, when requests include the Expect: 100-continue header spanning multiple lines through obsolete HTTP line folding, Akamai’s initial edge server correctly removes the line folding before forwarding the request but fails to honor the header due to a software bug.
Second, a separate implementation flaw specific to OPTIONS request processing prevents proper forwarding of requests containing body sections.
These combined defects create a critical desynchronization where two Akamai servers interpret the same request differently, leading to erroneous parsing of the request body and enabling attackers to smuggle malicious requests within the original request body.
Attribute | Details |
CVE ID | CVE-2025-32094 |
Type | HTTP Request Smuggling |
Attack Vector | OPTIONS + Obsolete Line Folding |
Discovery Date | March 2025 |
Public Disclosure | August 06, 2025 |
Researcher | James Kettle (PortSwigger) |
CVSS Score | Not yet assigned |
Affected Component | Akamai Edge Servers |
Akamai responded swiftly to the vulnerability report, implementing a platform-wide fix that automatically protected all customers without requiring individual configuration changes.
The company coordinated disclosure with security researcher James Kettle from PortSwigger, aligning the public announcement with related research presented at BlackHat 2025.
The bug bounty reward was jointly funded by both Akamai and PortSwigger, with the combined payment donated to 42nd Street, a mental health charity supporting young people.
This collaborative approach demonstrates effective industry cooperation in responsible vulnerability disclosure.
The vulnerability highlights the ongoing challenges in HTTP protocol implementation across complex distributed systems, particularly regarding legacy features like obsolete line folding that continue to create unexpected security implications in modern infrastructure deployments.
The Ultimate SOC-as-a-Service Pricing Guide for 2025
– Download for Free
Source link