CVE-2025-32094
📋 TL;DR
This HTTP request smuggling vulnerability in Akamai Ghost allows attackers to inject a second request within an HTTP/1.x OPTIONS request using obsolete line folding. This can lead to request confusion between Akamai servers, potentially bypassing security controls. Only Akamai CDN customers using affected versions are impacted.
💻 Affected Systems
- Akamai Ghost
- Akamai CDN platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass web application firewalls, access control mechanisms, or cache poisoning protections, potentially leading to data exposure or unauthorized actions.
Likely Case
Limited request smuggling that might bypass some security filters but requires specific conditions and knowledge of target infrastructure.
If Mitigated
With proper patching and monitoring, impact is minimal as the vulnerability requires specific HTTP/1.x features and line folding techniques.
🎯 Exploit Status
Requires knowledge of HTTP/1.x protocol quirks and specific server configurations
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions from 2025-03-26 onward
Vendor Advisory: https://www.akamai.com/blog/security/cve-2025-32094-http-request-smuggling
Restart Required: No
Instructions:
1. Contact Akamai support 2. Request update to post-2025-03-26 versions 3. Verify configuration changes are applied
🔧 Temporary Workarounds
Disable HTTP/1.x support
allForce clients to use HTTP/2 or HTTP/3 which don't support obsolete line folding
Block problematic headers
allConfigure WAF or edge rules to block requests with Expect: 100-continue headers
🧯 If You Can't Patch
- Implement strict HTTP request validation at application layer
- Monitor for unusual OPTIONS request patterns and line folding in logs
🔍 How to Verify
Check if Vulnerable:
Check Akamai configuration version date in Akamai Control Center or contact Akamai supportCheck Version:
Contact Akamai support or check via Akamai Control Center interfaceVerify Fix Applied:
Verify configuration shows version date of 2025-03-26 or later📡 Detection & Monitoring
Log Indicators:
- Unusual OPTIONS requests with Expect: 100-continue headers
- Requests containing line folding (CRLF sequences)
- Multiple requests appearing from single client connection
Network Indicators:
- HTTP/1.x traffic with unusual header patterns
- Requests that trigger 100 Continue responses
SIEM Query:
http.method:OPTIONS AND http.headers.expect:"100-continue" AND (http.headers contains "\r\n " OR http.headers contains "\r\n\t")🔗 References
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/100
- https://www.akamai.com/blog/security/cve-2025-32094-http-request-smuggling
- https://www.blackhat.com/us-25/briefings/schedule/#http1-must-die-the-desync-endgame-45103
- https://www.rfc-editor.org/rfc/rfc9112.html#name-obsolete-line-folding
