New variants of the HTTP request smuggling attack method impacted several widely used content delivery networks, major organizations, and millions of websites.
James Kettle, director of research at application security firm PortSwigger, presented a new attack method on Wednesday at the Black Hat conference. Kettle has worked with several others, including a team of bug bounty hunters, to find impacted organizations and inform them about the risks.
HTTP request smuggling, also referred to as a desync attack, leverages inconsistencies in how web servers process HTTP requests, enabling an attacker to ‘smuggle’ a malicious request inside a legitimate one.
The issue is related to how servers — typically frontend servers that act as load balancers or proxies, and backend servers that host a website — determine where an HTTP request ends and where the next request begins.
Threat actors can create a specially crafted request that is forwarded by the frontend server to the backend server, with the backend server being tricked into believing that the request has a smaller length than it actually does, leaving the leftover part of the request in the connection buffer and appending it to the next request.
The attacker can craft the request to ensure that a malicious part is left in the connection buffer and appended to a request initiated by a legitimate user right after the attacker. The attacker’s request can be designed to steal the victim’s session, redirect the victim to a fake (phishing) website, or poison the web cache and cause the server to store a malicious page that is served to other users.
The existence of HTTP request smuggling has been known for more than two decades, and at least half a dozen new variations have been found since 2016.
A new variant discovered by Kettle leverages weaknesses in HTTP/1.1 and involves an attack method named 0.CL (a variation of CL.0).
Kettle and the other researchers identified many impacted servers, including a non-production T-Mobile server (T-Mobile paid out a $12,000 bug bounty), a GitLab server that exposed reports sent to its bug bounty program (a $7,000 bug bounty was paid), and Netlify CDN systems.
However they soon realized that many of the targets were using Akamai’s CDN. Further analysis showed that indeed the root cause was a vulnerability in Akamai’s infrastructure. The company assigned the issue CVE-2025-32094 and quickly started working on addressing it.
Akamai paid out a $9,000 bug bounty and on Wednesday published a blog post sharing technical details.
According to Kettle, the attack enabled mass compromise of user credentials from almost every company using Akamai, including tech giants, US government organizations, and SaaS providers.
Cloudflare was also impacted, but by a different HTTP request smuggling attack involving HTTP/1.1 weaknesses. In the case of the internet security and performance giant, researchers found that they could redirect the visitors of the millions of websites protected by Cloudflare to a site they controlled.
Cloudflare rushed to address the issue and paid out a $7,000 bug bounty. The company also published a blog post detailing the issue and how it was resolved.
Overall, the researchers reported their findings to dozens of companies and they received bug bounties totaling $276,000.
Kettle, who published a blog post on Wednesday to detail the findings, urged the industry to move away from HTTP/1.1 to HTTP/2+, which addresses the weaknesses that enable such attacks.
Related: Adobe Issues Out-of-Band Patches for AEM Forms Vulnerabilities With Public PoC
Related: Trend Micro Warns of Apex One Vulnerabilities Exploited in Wild
