CVE-2025-66373 Overview
CVE-2025-66373 is an HTTP request smuggling vulnerability affecting Akamai Ghost on Akamai CDN edge servers prior to 2025-11-17. The flaw resides in how Akamai Ghost processes chunked request bodies. When the server receives an invalid chunked body containing a chunk size that differs from the actual size of the chunk data, it forwards the invalid request along with superfluous bytes to the origin server. Attackers can hide a smuggled request within those extra bytes. Exploitability depends on how the downstream origin server interprets the malformed request. The weakness is classified under CWE-444 (Inconsistent Interpretation of HTTP Requests).
Critical Impact
Successful exploitation enables request smuggling through the Akamai CDN edge, allowing attackers to bypass front-end security controls, poison caches, or hijack sessions when paired with a permissive origin server.
Affected Products
- Akamai Ghost on Akamai CDN edge servers before 2025-11-17
- Akamai akamaighost component
- Environments routing HTTP traffic through Akamai CDN to downstream origin servers
Discovery Timeline
- 2025-12-04 - CVE-2025-66373 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66373
Vulnerability Analysis
HTTP request smuggling exploits parsing inconsistencies between front-end proxies and back-end origin servers. In this case, Akamai Ghost, the edge proxy powering the Akamai CDN, mishandles chunked transfer-encoded request bodies. Chunked encoding specifies each chunk with a hexadecimal length prefix followed by the chunk data. When the declared chunk size does not match the actual number of bytes in the following data, Akamai Ghost forwards both the malformed request and any trailing bytes to the origin server. Attackers can craft the trailing bytes to form a second, hidden HTTP request. See the Akamai security advisory for the vendor analysis.
Root Cause
The root cause is improper validation of the chunk size declaration against the actual chunk payload length. Akamai Ghost proceeds with forwarding logic instead of rejecting the malformed body or terminating the connection. This produces a front-end/back-end desynchronization when the origin server parses the superfluous bytes as a new request. The behavior aligns with CWE-444, Inconsistent Interpretation of HTTP Requests.
Attack Vector
An unauthenticated remote attacker sends a specially crafted HTTP request with a Transfer-Encoding: chunked header. The attacker declares a chunk size smaller than the actual chunk data. The excess bytes contain a smuggled HTTP request. Akamai Ghost forwards the malformed stream to the origin, which may interpret the extra bytes as an independent request from another user. This can lead to request queue poisoning, cache poisoning, credential theft, or bypass of edge-based access controls. Exploitation complexity is elevated because success depends on the origin server's parsing behavior. Refer to the Wikipedia HTTP Request Smuggling overview for background on this attack class.
No verified public exploit code is available. The vulnerability mechanism
involves sending a chunked-encoded HTTP request where the declared chunk
size differs from the actual byte length of the chunk data. The trailing
bytes are interpreted by the origin server as a separate request.
See the Akamai advisory for the vendor's technical description.
Detection Methods for CVE-2025-66373
Indicators of Compromise
- Unexpected HTTP requests appearing in origin server logs without corresponding entries in Akamai edge logs
- Requests with Transfer-Encoding: chunked headers where chunk-size declarations do not match subsequent chunk payload lengths
- Anomalous response pairings where a client receives a response intended for a different session or user
- Cache entries containing unexpected content or headers that were not part of the legitimate request
Detection Strategies
- Compare request counts and identifiers between Akamai edge logs and origin server logs to identify desynchronization
- Deploy a Web Application Firewall (WAF) rule at the origin to reject chunked bodies where declared and actual chunk sizes disagree
- Inspect HTTP traffic for malformed chunked encoding patterns, including chunk sizes followed by trailing content that resembles a new HTTP request line
Monitoring Recommendations
- Enable verbose request logging on origin servers, including full request headers and chunked encoding metadata
- Alert on sudden spikes in 400-class responses tied to chunked transfer-encoded requests
- Monitor for cache poisoning indicators such as authenticated content served to unauthenticated sessions
- Correlate edge and origin telemetry within a centralized SIEM to surface parsing discrepancies
How to Mitigate CVE-2025-66373
Immediate Actions Required
- Confirm that traffic is served by Akamai edge nodes updated on or after 2025-11-17, when the vendor rolled out the fix
- Audit origin servers for lenient chunked-encoding parsers and enforce strict RFC 9112 compliance
- Restrict origin servers to accept traffic only from Akamai edge IP ranges to reduce direct-to-origin bypass exposure
- Review WAF rulesets for signatures targeting HTTP request smuggling variants
Patch Information
Akamai deployed the fix across its CDN edge fleet by 2025-11-17. Customers do not need to install a patch directly because Akamai Ghost is a managed edge service. Verify with Akamai support that all edge regions serving your properties have received the update. Consult the Akamai advisory for CVE-2025-66373 for vendor guidance.
Workarounds
- Configure origin servers to reject requests where the declared chunk size does not match the received chunk data length
- Disable HTTP/1.1 keep-alive on the origin for high-risk endpoints to limit request queue reuse
- Enforce strict Content-Length and Transfer-Encoding header validation at the origin, dropping ambiguous or conflicting combinations
- Prefer HTTP/2 between the edge and origin where supported, since it does not use chunked transfer encoding
# Example NGINX origin hardening to reject ambiguous encoding
http {
# Reject requests with both Content-Length and Transfer-Encoding
map $http_transfer_encoding $bad_encoding {
default 0;
"~*chunked" 1;
}
server {
if ($bad_encoding = 1) {
set $flag "${flag}A";
}
if ($http_content_length != "") {
set $flag "${flag}B";
}
if ($flag = "AB") {
return 400;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

