{"id":8925,"date":"2025-12-04T10:00:51","date_gmt":"2025-12-04T10:00:51","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/04\/akamai-patches-http-request-smuggling-vulnerability-in-edge-servers\/"},"modified":"2025-12-04T10:00:51","modified_gmt":"2025-12-04T10:00:51","slug":"akamai-patches-http-request-smuggling-vulnerability-in-edge-servers","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/04\/akamai-patches-http-request-smuggling-vulnerability-in-edge-servers\/","title":{"rendered":"Akamai Patches HTTP Request Smuggling Vulnerability in Edge Servers"},"content":{"rendered":"<p>    Akamai Patches HTTP Request Smuggling Vulnerability in Edge Servers<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A critical HTTP request smuggling vulnerability in Akamai\u2019s edge server infrastructure has been successfully fixed.<\/p>\n<p>The vulnerability, identified as CVE-2025-66373, stemmed from improper processing of <a href=\"https:\/\/cybersecuritynews.com\/microsoft-details-asp-net-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">HTTP requests<\/a> containing invalid chunk-encoded bodies, potentially exposing thousands of customers to sophisticated attacks.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-understanding-http-chunked-transfer-encoding\"><strong>Understanding HTTP Chunked Transfer Encoding<\/strong><\/h2>\n<p>HTTP chunked transfer encoding is an HTTP\/1.1 standard that breaks message bodies into smaller chunks for efficient transmission. Each chunk consists of a size indicator followed by the corresponding data.<\/p>\n<p>Akamai\u2019s edge servers contained a flaw in how they processed malformed chunked requests. Specifically, those where the declared chunk size did not match the actual data size.<\/p>\n<p>When servers received such invalid requests, they incorrectly forwarded both the malformed request and superfluous data bytes to origin servers in certain conditions.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Field<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Details<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>CVE ID<\/strong><\/td>\n<td>CVE-2025-66373<\/td>\n<\/tr>\n<tr>\n<td><strong>Vulnerability Type<\/strong><\/td>\n<td>HTTP Request Smuggling<\/td>\n<\/tr>\n<tr>\n<td><strong>Affected Component<\/strong><\/td>\n<td>Akamai Edge Servers<\/td>\n<\/tr>\n<tr>\n<td><strong>Root Cause<\/strong><\/td>\n<td>Incorrect processing of invalid chunk-encoded request bodies<\/td>\n<\/tr>\n<tr>\n<td><strong>Severity Level<\/strong><\/td>\n<td>High<\/td>\n<\/tr>\n<tr>\n<td><strong>CVSS Score<\/strong><\/td>\n<td>7.5<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>This created an attack surface for HTTP Request Smuggling, a technique where attackers hide unauthorized requests within seemingly <a href=\"https:\/\/cybersecuritynews.com\/chinese-plushdaemon-hackers-use-edgestepper-tool\/\" target=\"_blank\" rel=\"noreferrer noopener\">legitimate traffic<\/a>.<\/p>\n<p>An attacker exploiting this vulnerability could have concealed malicious requests within the extra bytes transmitted to origin servers.<\/p>\n<p>The practical exploitability depended on how individual origin servers processed the invalid requests they received from Akamai\u2019s infrastructure.<\/p>\n<p>However, the potential for abuse was significant, as successful <a href=\"https:\/\/cybersecuritynews.com\/filefix-and-cache-smuggling-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">smuggling attacks<\/a> could bypass security controls. Manipulate application logic, or execute unauthorized actions on behalf of legitimate users.<\/p>\n<p>Akamai detected the vulnerability on September 18, 2025. Following a two-month investigation and remediation period.<\/p>\n<p>The company deployed a complete fix on November 17, 2025, eliminating the vulnerability from all Akamai services globally. Notably, no customer action is required; the patch was applied transparently across the entire platform.<\/p>\n<p>The company formally disclosed this security issue through CVE-2025-66373 as part of its standard vulnerability disclosure process.<\/p>\n<p><a href=\"https:\/\/www.akamai.com\/blog\/security\/cve-2025-66373-http-request-smuggling-chunked-body-size\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Akamai<\/a> credited the security researcher for discovering and reporting the vulnerability through its <a href=\"https:\/\/cybersecuritynews.com\/what-is-bug-bounty-program-why-organization-needs-them\/\" target=\"_blank\" rel=\"noreferrer noopener\">Bug Bounty Program<\/a>.<\/p>\n<p>The coordinated disclosure exemplified responsible vulnerability management and demonstrated how collaborative security research strengthens the broader internet ecosystem.<\/p>\n<p>This patch reinforces Akamai\u2019s commitment to maintaining the security and reliability of its content delivery. An edge computing infrastructure, protecting millions of organizations worldwide from emerging threats.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/akamai-http-request-smuggling-vulnerability\/\">Akamai Patches HTTP Request Smuggling Vulnerability in Edge Servers<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/akamai-http-request-smuggling-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Akamai Patches HTTP Request Smuggling Vulnerability in Edge Servers A critical HTTP request smuggling vulnerability in Akamai\u2019s edge server infrastructure has been successfully fixed. The vulnerability, identified as CVE-2025-66373, stemmed from improper processing of HTTP requests containing invalid chunk-encoded bodies, potentially exposing thousands of customers to sophisticated attacks. Understanding HTTP Chunked Transfer Encoding HTTP chunked [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-8925","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8925"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8925"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8925\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8925"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8925"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8925"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}