Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66373

CVE-2025-66373: Akamai Ghost Request Smuggling Flaw

CVE-2025-66373 is an HTTP request smuggling vulnerability in Akamai Ghost on CDN edge servers. Attackers can exploit chunked body processing errors to hide malicious requests. This article covers technical details, impact, and fixes.

Published:

CVE-2025-66373 Overview

CVE-2025-66373 is an HTTP request smuggling vulnerability affecting Akamai Ghost on Akamai CDN edge servers prior to 2025-11-17. The flaw resides in how Akamai Ghost processes chunked request bodies. When the server receives an invalid chunked body containing a chunk size that differs from the actual size of the chunk data, it forwards the invalid request along with superfluous bytes to the origin server. Attackers can hide a smuggled request within those extra bytes. Exploitability depends on how the downstream origin server interprets the malformed request. The weakness is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests).

Critical Impact

Successful exploitation enables request smuggling through the Akamai CDN edge, allowing attackers to bypass front-end security controls, poison caches, or hijack sessions when paired with a permissive origin server.

Affected Products

  • Akamai Ghost on Akamai CDN edge servers before 2025-11-17
  • Akamai akamaighost component
  • Environments routing HTTP traffic through Akamai CDN to downstream origin servers

Discovery Timeline

  • 2025-12-04 - CVE-2025-66373 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-66373

Vulnerability Analysis

HTTP request smuggling exploits parsing inconsistencies between front-end proxies and back-end origin servers. In this case, Akamai Ghost, the edge proxy powering the Akamai CDN, mishandles chunked transfer-encoded request bodies. Chunked encoding specifies each chunk with a hexadecimal length prefix followed by the chunk data. When the declared chunk size does not match the actual number of bytes in the following data, Akamai Ghost forwards both the malformed request and any trailing bytes to the origin server. Attackers can craft the trailing bytes to form a second, hidden HTTP request. See the Akamai security advisory for the vendor analysis.

Root Cause

The root cause is improper validation of the chunk size declaration against the actual chunk payload length. Akamai Ghost proceeds with forwarding logic instead of rejecting the malformed body or terminating the connection. This produces a front-end/back-end desynchronization when the origin server parses the superfluous bytes as a new request. The behavior aligns with CWE-444, Inconsistent Interpretation of HTTP Requests.

Attack Vector

An unauthenticated remote attacker sends a specially crafted HTTP request with a Transfer-Encoding: chunked header. The attacker declares a chunk size smaller than the actual chunk data. The excess bytes contain a smuggled HTTP request. Akamai Ghost forwards the malformed stream to the origin, which may interpret the extra bytes as an independent request from another user. This can lead to request queue poisoning, cache poisoning, credential theft, or bypass of edge-based access controls. Exploitation complexity is elevated because success depends on the origin server's parsing behavior. Refer to the Wikipedia HTTP Request Smuggling overview for background on this attack class.

No verified public exploit code is available. The vulnerability mechanism
involves sending a chunked-encoded HTTP request where the declared chunk
size differs from the actual byte length of the chunk data. The trailing
bytes are interpreted by the origin server as a separate request.
See the Akamai advisory for the vendor's technical description.

Detection Methods for CVE-2025-66373

Indicators of Compromise

  • Unexpected HTTP requests appearing in origin server logs without corresponding entries in Akamai edge logs
  • Requests with Transfer-Encoding: chunked headers where chunk-size declarations do not match subsequent chunk payload lengths
  • Anomalous response pairings where a client receives a response intended for a different session or user
  • Cache entries containing unexpected content or headers that were not part of the legitimate request

Detection Strategies

  • Compare request counts and identifiers between Akamai edge logs and origin server logs to identify desynchronization
  • Deploy a Web Application Firewall (WAF) rule at the origin to reject chunked bodies where declared and actual chunk sizes disagree
  • Inspect HTTP traffic for malformed chunked encoding patterns, including chunk sizes followed by trailing content that resembles a new HTTP request line

Monitoring Recommendations

  • Enable verbose request logging on origin servers, including full request headers and chunked encoding metadata
  • Alert on sudden spikes in 400-class responses tied to chunked transfer-encoded requests
  • Monitor for cache poisoning indicators such as authenticated content served to unauthenticated sessions
  • Correlate edge and origin telemetry within a centralized SIEM to surface parsing discrepancies

How to Mitigate CVE-2025-66373

Immediate Actions Required

  • Confirm that traffic is served by Akamai edge nodes updated on or after 2025-11-17, when the vendor rolled out the fix
  • Audit origin servers for lenient chunked-encoding parsers and enforce strict RFC 9112 compliance
  • Restrict origin servers to accept traffic only from Akamai edge IP ranges to reduce direct-to-origin bypass exposure
  • Review WAF rulesets for signatures targeting HTTP request smuggling variants

Patch Information

Akamai deployed the fix across its CDN edge fleet by 2025-11-17. Customers do not need to install a patch directly because Akamai Ghost is a managed edge service. Verify with Akamai support that all edge regions serving your properties have received the update. Consult the Akamai advisory for CVE-2025-66373 for vendor guidance.

Workarounds

  • Configure origin servers to reject requests where the declared chunk size does not match the received chunk data length
  • Disable HTTP/1.1 keep-alive on the origin for high-risk endpoints to limit request queue reuse
  • Enforce strict Content-Length and Transfer-Encoding header validation at the origin, dropping ambiguous or conflicting combinations
  • Prefer HTTP/2 between the edge and origin where supported, since it does not use chunked transfer encoding
bash
# Example NGINX origin hardening to reject ambiguous encoding
http {
    # Reject requests with both Content-Length and Transfer-Encoding
    map $http_transfer_encoding $bad_encoding {
        default 0;
        "~*chunked" 1;
    }

    server {
        if ($bad_encoding = 1) {
            set $flag "${flag}A";
        }
        if ($http_content_length != "") {
            set $flag "${flag}B";
        }
        if ($flag = "AB") {
            return 400;
        }
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.