On November 17, 2025, Akamai eliminated a potential HTTP Request Smuggling vector that resulted from incorrect processing of requests containing an invalid chunk-encoded body.
Chunked transfer encoding is a data transfer mechanism available in HTTP 1.1, in which the body of an HTTP message is encoded in any number of chunks. Every chunk is made up of a chunk size followed by the chunk data of the indicated size.
Akamai edge servers contained a vulnerability due to erroneous processing of requests with a chunk-encoded body.
Vulnerability details
Specifically, when Akamai edge servers received an invalid chunked body — one that included a chunk size that does not match the actual size of the following chunk data — the servers (under certain circumstances) incorrectly forwarded the invalid request and subsequent superfluous bytes to the origin server.
An attacker could have hidden a smuggled request in these superfluous bytes, exposing Akamai customers to potential HTTP Request Smuggling attacks. Whether this vulnerability was exploitable in practice depended on the origin server’s behavior and how it processed the invalid request it received from Akamai.
Mitigation
Akamai became aware of this issue on September 18, 2025. On November 17, 2025, a full fix was deployed, completely eliminating the vulnerability from all Akamai services. No remediation action is required by customers.
As part of our regular incident response work and vulnerability analysis, we have disclosed this issue through CVE-2025-66373.
Special thanks
We thank “Jinone (@jinonehk)” for reporting the findings that led to the discovery of this issue through Akamai’s Bug Bounty Program, and coordinating with us throughout our investigation, which helped make the internet more secure.
Tags
