4

CVE-2025-32094

An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Under certain circumstances, a client making an HTTP/1.x OPTIONS request with an "Expect: 100-continue" header, and using obsolete line folding, can lead to a discrepancy in how two in-path Akamai servers interpret the request, allowing an attacker to smuggle a second request in the original request body.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerAkamai
Produkt AkamaiGhost
Default Statusunaffected
Version 0
Version < 2025-03-26
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.52% 0.398
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cve@mitre.org 4 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/100
https://www.rfc-editor.org/rfc/rfc9112.html#name-obsolete-line-folding
https://www.akamai.com/blog/security/cve-2025-32094-http-request-smuggling
https://www.blackhat.com/us-25/briefings/schedule/#http1-must-die-the-desync-endgame-45103