MEDIUM
GHSA-r6fj-869h-4f6q
OHttpVersionChunkDraft: Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation
Details
The codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) can forward a prefix of a legitimate chunked-OHTTP message—cut at a non-final chunk boundary—and close the outer body cleanly, producing no decryption error and no exception in the receiving application.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / io.netty.incubator:netty-incubator-codec-ohttp
Introduced in:
0 Fixed in: 0.0.22.Final Fix
# pom.xml: bump <version>0.0.22.Final</version> for io.netty.incubator:netty-incubator-codec-ohttp References
- https://github.com/netty/netty-incubator-codec-ohttp/security/advisories/GHSA-r6fj-869h-4f6q [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-48480 [ADVISORY]
- https://github.com/netty/netty-incubator-codec-ohttp/commit/28f977f293591a4e837bd59ceb441f9f70349915 [WEB]
- https://github.com/netty/netty-incubator-codec-ohttp [PACKAGE]