Akamai Ghost HTTP Request Smuggling Vulnerability via OPTIONS Requests with Body
Vulnerability
A vulnerability allowing HTTP request smuggling has been identified in Akamai Ghost versions prior to 2025-07-21. This issue arises when an OPTIONS request includes an entity body, which some origin servers may improperly handle. As a result, the request body can persist in the connection between an Akamai proxy server and the origin server, potentially leading to cache poisoning or other security threats, depending on the origin server's configuration.
Impact
Exploitation of this vulnerability could allow for HTTP request smuggling, with the possibility of cache poisoning or other security-related threats, depending on the origin server's configuration.
Remediation
Akamai has deployed a WAF Rapid Rule to protect against this specific request smuggling vector and implemented a platform-wide change to terminate connections for OPTIONS requests with a body. This change was fully deployed on August 11, 2025.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.