Akamai Applied sciences disclosed a essential HTTP request smuggling vulnerability affecting its content material supply community platform that might enable attackers to inject hidden secondary requests by means of a complicated exploitation method.
The vulnerability, designated CVE-2025-32094, was found by means of the corporate’s bug bounty program and has been resolved throughout all buyer deployments with out proof of profitable exploitation within the wild.
Vulnerability Particulars and Assault Vector
The safety flaw stems from a posh interplay between a number of processing defects inside Akamai’s edge server infrastructure.
Particularly, the vulnerability manifests when purchasers ship HTTP/1.x OPTIONS requests containing an “Count on: 100-continue” header using out of date line folding strategies.
This mix creates a harmful parsing discrepancy between totally different Akamai servers within the site visitors processing chain. The assault exploits two distinct implementation defects working in tandem.
First, when requests embody the Count on: 100-continue header spanning a number of strains by means of out of date HTTP line folding, Akamai’s preliminary edge server accurately removes the road folding earlier than forwarding the request however fails to honor the header attributable to a software program bug.
Second, a separate implementation flaw particular to OPTIONS request processing prevents correct forwarding of requests containing physique sections.
These mixed defects create a essential desynchronization the place two Akamai servers interpret the identical request in a different way, resulting in misguided parsing of the request physique and enabling attackers to smuggle malicious requests inside the authentic request physique.
| Attribute | Particulars |
| CVE ID | CVE-2025-32094 |
| Sort | HTTP Request Smuggling |
| Assault Vector | OPTIONS + Out of date Line Folding |
| Discovery Date | March 2025 |
| Public Disclosure | August 06, 2025 |
| Researcher | James Kettle (PortSwigger) |
| CVSS Rating | Not but assigned |
| Affected Element | Akamai Edge Servers |
Akamai responded swiftly to the vulnerability report, implementing a platform-wide repair that routinely protected all clients with out requiring particular person configuration adjustments.
The corporate coordinated disclosure with safety researcher James Kettle from PortSwigger, aligning the general public announcement with associated analysis introduced at BlackHat 2025.
The bug bounty reward was collectively funded by each Akamai and PortSwigger, with the mixed fee donated to forty second Road, a psychological well being charity supporting younger folks.
This collaborative method demonstrates efficient business cooperation in accountable vulnerability disclosure.
The vulnerability highlights the continued challenges in HTTP protocol implementation throughout advanced distributed programs, notably relating to legacy options like out of date line folding that proceed to create sudden safety implications in fashionable infrastructure deployments.
The Final SOC-as-a-Service Pricing Information for 2025– Obtain for Free
