Blog Security CVE-2025-66373: HTTP Request Smuggling Due to Invalid Chunked Body Size On November 17, 2025, Akamai eliminated a potential HTTP Request Smuggling vector that resulted from incorrect processing of requests containing an invalid chunk-encoded body. Chunked transfer encoding is a data transfer mechanism available in HTTP 1.1, in which the body of an HTTP message is encoded in any number of chunks. Every chunk is made up of a chunk size followed by the chunk data of the indicated size. Akamai edge servers contained a vulnerability due to erroneous processing of requests with a chunk-encoded body. Vulnerability details Specifically, when Akamai edge servers received an invalid chunked body — one that included a chunk size that does not match the actual size of the following chunk data — the servers (under certain circumstances) incorrectly forwarded the invalid request and subsequent superfluous bytes to the origin server.…