Akamai Technologies has patched a critical HTTP request smuggling vulnerability affecting its Ghost platform, after a coordinated disclosure with security researcher James Kettle of PortSwigger.
The vulnerability, tracked as CVE-2025-32094, allowed attackers to inject a secondary HTTP request within the body of an initial request under specific conditions. Akamai deployed a universal fix in March 2025 and confirmed no known in-the-wild exploits.
The issue arose when an HTTP/1.x client sent an OPTIONS request that included an Expect: 100-continue header using obsolete line folding.
In HTTP/1.x, line folding permits long header values to be split across multiple lines by beginning continuation lines with whitespace—an outdated practice rarely used today.
When such a folded Expect header reached an Akamai edge server, the server correctly unfolded it before proxying.
However, due to a latent software defect, the same edge server failed to honor the Expect: 100-continue directive at the initial parse stage, causing it to proceed without issuing the expected 100 Continue interim response.
Simultaneously, a separate implementation vulnerability in how Akamai processes OPTIONS requests could result in the server neglecting to forward an OPTIONS request body altogether.
When combined, these two defects produced a parsing divergence between successive Akamai nodes on the traffic path.
The first node stripped and ignored the folded Expect header’s semantics, while the second node correctly honored the header and forwarded the embedded payload.
Akamai Ghost Platform Vulnerability
Akamai’s internal security team received the bug bounty report in March 2025 and immediately commenced incident response and code analysis.
This discrepancy permitted an attacker to hide a full secondary HTTP request inside the body of the first request, effectively “smuggling” it past the edge infrastructure and into downstream services.
To manage disclosure timing, Akamai liaised with PortSwigger researcher James Kettle, whose own research into HTTP desynchronization attacks—nicknamed “Ghost”—was slated for publication at BlackHat USA 2025.
By synchronizing public details with the conference schedule, both parties ensured that the broader security community received comprehensive technical guidance concurrently with the formal vulnerability announcement.
Upon validating the exploitability and scope of the root-cause defects, Akamai requested a CVE identifier from MITRE. The vulnerability was assigned CVE-2025-32094 and cataloged by the National Vulnerability Database.
The common vulnerability scoring system (CVSS) base score for the vulnerability stands at 8.1 (High), reflecting the attack’s potential to bypass defenses and reach origin servers with malicious payloads.
Mitigations
Akamai swiftly rolled out a platform-wide fix that normalized header parsing logic and enforced consistent handling of Expect: 100-continue directives across all edge tiers.
By addressing CVE-2025-32094 before public exploitation, Akamai has reinforced trust in its Ghost platform’s resilience and highlighted the value of coordinated disclosure partnerships in safeguarding the internet’s critical infrastructure.
The patched release also tightened OPTIONS request processing to ensure that bodies cannot be discarded inadvertently.
Customers received immediate updates via Akamai’s community portal, with detailed remediation steps and configuration guidance.
Although no customer impact or abuse was detected in production environments, the discovery underscores the persistent risk posed by legacy HTTP behaviors and the complexity of multi-stage content delivery networks.
Akamai’s proactive response demonstrates the importance of rigorous protocol compliance testing, especially when evolving large-scale, distributed service platforms.
The combined bug bounty reward from Akamai and PortSwigger was donated to the 42nd Street young people’s mental health charity, reflecting the security community’s commitment to social responsibility.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
