Notified: October 04, 2019 Updated: January 14, 2020
Akamai acknowledges this issue and has been aware of similar research in the past. This advisory highlights a reflected XSS vulnerability in origin web applications that exists whether or not a CDN is involved, exacerbated by having responses cached. HTTP header values can be crafted by the attacker to include malicious payloads, which will then be stored in the cache and sent when subsequent requests are made for the same content. In essence, this is a traditional reflected XSS attack, elevated to a stored XSS due to caching by CDNs. Website operators should treat HTTP headers as an injection vector that must be validated prior to being parsed. Akamai can work with site operators to help create mitigation strategies specific to their systems. Header values presented to customer's application should be considered untrusted input and validated before use.
We are not aware of further vendor information regarding this vulnerability.