A critical HTTP request smuggling vulnerability in Akamai’s edge server infrastructure has been successfully fixed.
The vulnerability, identified as CVE-2025-66373, stemmed from improper processing of HTTP requests containing invalid chunk-encoded bodies, potentially exposing thousands of customers to sophisticated attacks.
Understanding HTTP Chunked Transfer Encoding
HTTP chunked transfer encoding is an HTTP/1.1 standard that breaks message bodies into smaller chunks for efficient transmission. Each chunk consists of a size indicator followed by the corresponding data.
Akamai’s edge servers contained a flaw in how they processed malformed chunked requests. Specifically, those where the declared chunk size did not match the actual data size.
When servers received such invalid requests, they incorrectly forwarded both the malformed request and superfluous data bytes to origin servers in certain conditions.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-66373 |
| Vulnerability Type | HTTP Request Smuggling |
| Affected Component | Akamai Edge Servers |
| Root Cause | Incorrect processing of invalid chunk-encoded request bodies |
| Severity Level | High |
| CVSS Score | 7.5 |
This created an attack surface for HTTP Request Smuggling, a technique where attackers hide unauthorized requests within seemingly legitimate traffic.
An attacker exploiting this vulnerability could have concealed malicious requests within the extra bytes transmitted to origin servers.
The practical exploitability depended on how individual origin servers processed the invalid requests they received from Akamai’s infrastructure.
However, the potential for abuse was significant, as successful smuggling attacks could bypass security controls. Manipulate application logic, or execute unauthorized actions on behalf of legitimate users.
Akamai detected the vulnerability on September 18, 2025. Following a two-month investigation and remediation period.
The company deployed a complete fix on November 17, 2025, eliminating the vulnerability from all Akamai services globally. Notably, no customer action is required; the patch was applied transparently across the entire platform.
The company formally disclosed this security issue through CVE-2025-66373 as part of its standard vulnerability disclosure process.
Akamai credited the security researcher for discovering and reporting the vulnerability through its Bug Bounty Program.
The coordinated disclosure exemplified responsible vulnerability management and demonstrated how collaborative security research strengthens the broader internet ecosystem.
This patch reinforces Akamai’s commitment to maintaining the security and reliability of its content delivery. An edge computing infrastructure, protecting millions of organizations worldwide from emerging threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
