CVE-2025-32094: HTTP Request Smuggling Via OPTIONS + Obsolete Line Folding
In March 2025, Akamai received a bug bounty report identifying an HTTP Request Smuggling vulnerability. We quickly resolved the issue for all customers via a platform-wide fix with no evidence of any successful exploitation of the attack vector known to us.
We provided our customers with regular updates about this vulnerability; however, as per our agreement with the bug bounty reporter, James Kettle from PortSwigger, we delayed sharing the full details publicly to align with the reporter's plans for publication of related research at BlackHat 2025.
Details
The vulnerability details are as follows:
Under certain circumstances, a client making an HTTP/1.x OPTIONS request with an Expect: 100-continue header and using obsolete line folding could lead to a discrepancy in how two in-path Akamai servers interpreted the request. Two issues with how Akamai processes requests using the Expect: 100-continue header combined to cause the vulnerability.
- When a request includes an Expect: 100-continue header using the obsolete HTTP line folding feature (i.e., the header spans two lines), the Akamai edge server that initially received the request correctly rewrites the header to remove line folding before forwarding the request, but did not itself honor the Expect: 100-continue header due to a software defect.
- Due to an implementation defect specific to the processing of OPTIONS requests, Akamai servers might not have correctly forwarded an OPTIONS request containing a body section.
These combined issues led to a discrepancy in how two Akamai servers on the traffic path interpreted the same request, resulting in erroneous parsing of the request body. An attacker could abuse this discrepancy to smuggle a request in the request body.
As part of our regular incident response work and vulnerability analysis, we requested a Common Vulnerabilities and Exposures (CVE) identifier from MITRE, which allocated CVE-2025-32094 for this issue.
The bug bounty reward paid out by Akamai was matched by PortSwigger, and the combined sum was donated by PortSwigger to the 42nd Street young people's mental health charity. We are grateful for the coordinated disclosure and successful collaboration with James to help keep our customers safe, while at the same time ensuring compatibility and reliability for our customers.
