CVE-2025-66373
BaseFortify
Publication date: 2025-12-04
Last updated on: 2025-12-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| akamai | akamaighost | to 2025-11-17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Akamai Ghost on Akamai CDN edge servers involves an error in processing chunked HTTP request bodies. Specifically, when the server receives a chunked request body where the declared chunk size does not match the actual size of the chunk data, Akamai Ghost may incorrectly forward the invalid request along with extra bytes to the origin server. An attacker can exploit this behavior to hide a smuggled HTTP request within these extra bytes, potentially bypassing security controls.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to perform HTTP request smuggling by sending specially crafted chunked requests. This can lead to unauthorized requests being processed by the origin server, potentially bypassing security mechanisms, causing data leakage, session hijacking, or other malicious actions depending on how the origin server handles the smuggled requests.