Akamai Ghost Platform Flaw Allows Hidden Second Request in Original Body

Akamai has disclosed a significant HTTP Request Smuggling vulnerability, designated CVE-2025-32094, that was discovered in March 2025 through their bug bounty program.

The vulnerability, which involved OPTIONS requests combined with obsolete line folding techniques, has been fully resolved across Akamai’s platform with no evidence of successful exploitation.

Security researcher James Kettle from PortSwigger identified the flaw, with details coordinated for disclosure alongside related research presented at Black Hat 2025.

Technical Details of the Request Smuggling Attack Vector

The vulnerability emerged from a complex interaction between two specific implementation defects in Akamai’s HTTP/1.x request processing system.

The attack vector required an attacker to craft an OPTIONS request containing an Expect: 100-continue header utilizing obsolete line folding, a deprecated HTTP feature where headers span multiple lines.

When such requests were processed, Akamai’s edge servers demonstrated inconsistent behavior in handling the malformed headers.

The first defect occurred when edge servers correctly rewrote folded headers to remove line breaks before forwarding requests, but failed to honor the Expect: 100-continue header due to a software bug.

Simultaneously, a separate implementation flaw specific to OPTIONS request processing caused servers to incorrectly handle requests containing body sections.

This combination created a desynchronization condition where two servers in the traffic path interpreted the same request differently, enabling attackers to smuggle malicious requests within the request body and potentially bypass security controls.

Coordinated Response and Industry Collaboration

Akamai’s response to CVE-2025-32094 demonstrates effective vulnerability management practices within the cybersecurity industry.

Upon receiving the bug bounty report, the company implemented a platform-wide fix protecting all customers while maintaining transparent communication through regular updates.

The disclosure timeline was coordinated with James Kettle’s research presentation at BlackHat 2025, allowing for comprehensive public awareness of the attack methodology.

The collaborative approach extended beyond technical remediation, with both Akamai and PortSwigger contributing to the bug bounty reward, which was subsequently donated to 42nd Street, a mental health charity supporting young people.

This incident highlights the critical importance of responsible disclosure practices in identifying and addressing HTTP protocol vulnerabilities before they can be exploited maliciously.

The assignment of CVE-2025-32094 by MITRE ensures proper tracking and awareness of this vulnerability across the broader security community.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Akamai Ghost Platform Flaw Allows Hidden Second Request in Original Body appeared first on Cyber Security News.