Akamai Ghost HTTP Request Smuggling Vulnerability on CDN Edge Servers

Akamai Ghost running on Akamai CDN edge servers prior to 2025-11-17 contains a vulnerability that allows HTTP request smuggling due to improper handling of chunked request bodies. When an invalid chunked body is received—specifically one where the chunk size does not match the actual data size—Akamai Ghost may incorrectly forward the flawed request along with extra bytes to the origin server. This creates an opportunity for an attacker to conceal a smuggled request within these additional bytes. The exploitability of this vulnerability depends on how the origin server reacts to the received invalid request.

Impact

Exploitation of this vulnerability could lead to HTTP request smuggling, allowing attackers to manipulate the way requests are processed by the server, potentially causing one server to misinterpret a request and forward it to another server in a way that bypasses security controls.

Remediation

Akamai has deployed a fix for this vulnerability on 2025-11-17. No action is required by customers.