Akamai acquires LayerX, delivering end-to-end security and real-time AI usage control to any browser. Get details

CVE-2025-54142: HTTP Request Smuggling via OPTIONS + Body

Akamai Wave Blue

Aug 28, 2025

Akamai InfoSec

Akamai Wave Blue

Written by

Akamai InfoSec

Share

Akamai eliminated a potential HTTP request smuggling vulnerability (CVE-2025-54142) arising from the way some origin servers handle OPTIONS requests that include a request body.

The HTTP OPTIONS request method described in RFC 9110 can be used by a client to determine the permitted options for a given URL on the server. Its primary use is within the context of a Cross-Origin Resource Sharing (CORS) to let a browser "preflight" the request in an idempotent manner before issuing the actual request.

Although unusual in practice, the OPTIONS method may be accompanied by an entity-body, even though — per RFC 9110 — there are no known valid use cases for such requests, and no known browser or mobile client would normally issue requests of this sort.

Details

Certain RFC noncompliant origin stacks do not properly consume the request body when it is forwarded to them by Akamai’s proxy servers, which could then lead to the payload remaining in the persistent connection between a proxy and an origin server.

A subsequent regular HTTP request to the same origin could then be appended and trigger the origin to interpret the smuggled request.

This offered an attacker a window of opportunity for cache poisoning or other security-related threats, depending on the origin server’s configuration.

Mitigation

In addition to the WAF Rapid Rule we deployed on July 21, 2025, to protect against this specific request smuggling vector, we have implemented a separate, platform-wide change that eliminates this and similar attack vectors by terminating the connection to an origin and client for any OPTIONS requests with a body. This change was fully deployed on August 11, 2025.

Akamai Wave Blue

Aug 28, 2025

Akamai InfoSec

Akamai Wave Blue

Written by

Akamai InfoSec

Tags

Share

Related Blog Posts

Security Research
Conti’s Hacker Manuals — Read, Reviewed & Analyzed
April 05, 2022
Conti is a notorious ransomware group that targets high-revenue organizations. They were first detected in 2020, and appear to be based in Russia. It is believed that the group is the successor to Ryuk ransomware group. According to Chainalysis, The ransomware group was the highest grossing of all ransomware groups in 2021, with an estimated revenue of at least 180 million dollars.
Security Research
What’s That Scraping Sound? How Web Scraper Bots Erode Ecommerce Profits
June 25, 2024
The SOTI report on ecommerce describes the economic impacts, detection challenges, and sophistication of web scraper bots.
Security Research
Xurum: New Magento Campaign Discovered
Akamai researchers have discovered and analyzed a sophisticated new Magento threat that they’ve dubbed Xurum. See attack details and findings in this blog post.