Akamai acquires LayerX, delivering end-to-end security and real-time AI usage control to any browser. Get details

CVE-2025-66373: HTTP Request Smuggling Due to Invalid Chunked Body Size

Akamai Wave Blue

Dec 02, 2025

Akamai

Akamai Wave Blue

Written by

Akamai

Share

On November 17, 2025, Akamai eliminated a potential HTTP Request Smuggling vector that resulted from incorrect processing of requests containing an invalid chunk-encoded body.

Chunked transfer encoding is a data transfer mechanism available in HTTP 1.1, in which the body of an HTTP message is encoded in any number of chunks. Every chunk is made up of a chunk size followed by the chunk data of the indicated size.

Akamai edge servers contained a vulnerability due to erroneous processing of requests with a chunk-encoded body.

Vulnerability details

Specifically, when Akamai edge servers received an invalid chunked body — one that included a chunk size that does not match the actual size of the following chunk data — the servers (under certain circumstances) incorrectly forwarded the invalid request and subsequent superfluous bytes to the origin server.

An attacker could have hidden a smuggled request in these superfluous bytes, exposing Akamai customers to potential HTTP Request Smuggling attacks. Whether this vulnerability was exploitable in practice depended on the origin server’s behavior and how it processed the invalid request it received from Akamai.

Mitigation

Akamai became aware of this issue on September 18, 2025. On November 17, 2025, a full fix was deployed, completely eliminating the vulnerability from all Akamai services. No remediation action is required by customers.

As part of our regular incident response work and vulnerability analysis, we have disclosed this issue through CVE-2025-66373.

Special thanks

We thank “Jinone (@jinonehk)” for reporting the findings that led to the discovery of this issue through Akamai’s Bug Bounty Program, and coordinating with us throughout our investigation, which helped make the internet more secure.

Akamai Wave Blue

Dec 02, 2025

Akamai

Akamai Wave Blue

Written by

Akamai

Tags

Share

Related Blog Posts

Security
Post-Quantum Cryptography: What’s Next for Edge Security
July 15, 2026
Explore the next wave of post-quantum cryptography. Rich Salz breaks down Google’s 2029 timeline, new signatures, and the IETF PLANTS working group.
Security
Smash and Grab at Scale: Agentic AI Is Reshaping the Threat to Commerce
July 15, 2026
The SOTI Security report examines how agentic AI is disrupting commerce security, scaling API abuse, and driving up infrastructure costs.
Security
Boardroom Conversations Shift to Surviving a Breach
July 14, 2026
Akamai’s Mani Sundaram discusses the rise of AI-powered microsegmentation and breach survivability — and what new questions boards are asking CISOs today.