Akamai has patched a critical flaw in its edge servers that could enable HTTP request smuggling attacks.
On November 17, 2025, the company rolled out a fix for CVE-2025-66373, stemming from mishandled chunked transfer encoding in HTTP/1.1.
This vulnerability arose when servers processed invalid chunk-encoded requests, potentially forwarding malicious payloads to origin servers.
Chunked transfer encoding breaks HTTP message bodies into sequential “chunks.” Each chunk starts with a hexadecimal size indicator, followed by exactly that many bytes of data, and ends with a newline.
A final zero-sized chunk signals the end. Akamai’s edge servers previously erred on invalid chunks where the declared size mismatched the actual data length.
Under specific conditions, they forwarded the malformed request, along with extra “superfluous” bytes, to the backend origin.
Attackers could exploit this by embedding a smuggled HTTP request in those extra bytes.
For instance, an invalid chunk might declare a size of “10” but provide 20 bytes, with the overflow hiding a second request like “GET /admin HTTP/1.1\r\nHost: victim.com\r\n\r\n.”
If the origin server parsed leniently ignoring the invalid chunk it might execute the hidden request, bypassing security controls.
Exploitability hinged on the origin’s tolerance for malformed input, such as the neglect of extra data or the resetting of parsers.
| CVE ID | Description | Severity | Affected Products | Fixed Versions | Disclosure Date | Reporter |
|---|---|---|---|---|---|---|
| CVE-2025-66373 | HTTP request smuggling via invalid chunked body size in edge servers | N/A | Akamai Edge Servers | All (patched Nov 17, 2025) | Dec 2, 2025 | Jinone (@jinonehk) |
Vulnerability Details and Technical Impact
The flaw traces to how Akamai edge servers normalized invalid chunks. Per RFC 7230 (HTTP/1.1 Semantics), servers should reject malformed chunked bodies with a 400 Bad Request.
Instead, Akamai sometimes passed them through, causing desynchronization in request pipelines.
This mirrors classic smuggling vectors, such as CL.TE or TE.CL, but rooted in chunk size validation failures.
Real-world risk targeted Akamai customers with custom origins. A proof-of-concept might craft a request:
POST / HTTP/1.1
Host: edge.akamai.com
Transfer-Encoding: chunked
5\r
Hello
10\r
GET /secret HTTP/1.1\r\nHost: origin.com\r\n\r\n
0\r\n\r\nHere, the second chunk claims a size of “10” but includes a complete smuggled GET request plus padding.
Successful exploits could lead to cache poisoning, XSS, or unauthorized access, depending on the origin behavior.
Mitigation and Disclosure
Akamai learned of the issue on September 18, 2025, via its Bug Bounty Program.
Engineers deployed a comprehensive fix by November 17, validating chunk sizes rigorously across all services. Customers need no action the patch is automatic and retroactive.
The company assigned CVE-2025-66373 and credited researcher Jinone (@jinonehk) for the report.
This proactive response underscores edge platform security amid rising smuggling threats.
