Akamai Ghost Platform Flaw Allows Hidden Second Request Injection

Akamai Technologies disclosed a critical HTTP request smuggling vulnerability affecting its content delivery network platform that could allow attackers to inject hidden secondary requests through a sophisticated exploitation technique.

The vulnerability, designated CVE-2025-32094, was discovered through the company’s bug bounty program and has been resolved across all customer deployments without evidence of successful exploitation in the wild.

Vulnerability Details and Attack Vector

The security flaw stems from a complex interaction between multiple processing defects within Akamai’s edge server infrastructure.

Specifically, the vulnerability manifests when clients send HTTP/1.x OPTIONS requests containing an “Expect: 100-continue” header utilizing obsolete line folding techniques.

This combination creates a dangerous parsing discrepancy between different Akamai servers in the traffic processing chain. The attack exploits two distinct implementation defects working in tandem.

First, when requests include the Expect: 100-continue header spanning multiple lines through obsolete HTTP line folding, Akamai’s initial edge server ...