CVE-2025-32094

4.0 MEDIUM
Published: August 07, 2025 Modified: April 15, 2026
View on NVD

Description

An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Under certain circumstances, a client making an HTTP/1.x OPTIONS request with an "Expect: 100-continue" header, and using obsolete line folding, can lead to a discrepancy in how two in-path Akamai servers interpret the request, allowing an attacker to smuggle a second request in the original request body.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Status/100
Source: cve@mitre.org
https://www.akamai.com/blog/security/cve-2025-32094-http-request-smuggling
Source: cve@mitre.org
https://www.blackhat.com/us-25/briefings/schedule/#http1-must-die-the-desync-endgame-45103
Source: cve@mitre.org
https://www.rfc-editor.org/rfc/rfc9112.html#name-obsolete-line-folding
Source: cve@mitre.org

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
4.0 / 10.0
EPSS (Exploit Probability)
0.1%
25th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-444

Related CVEs

CVE-2026-41907 N/A
CVE-2026-41894 N/A
CVE-2026-41492 9.8
CVE-2026-41421 8.8
CVE-2026-41419 7.6