OHttpVersionChunkDraft: Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation
Moderate severity
GitHub Reviewed
Published
Jun 3, 2026
in
netty/netty-incubator-codec-ohttp
•
Updated Jun 23, 2026
Package
Affected versions
< 0.0.22.Final
Patched versions
0.0.22.Final
Description
Published by the National Vulnerability Database
Jun 4, 2026
Published to the GitHub Advisory Database
Jun 23, 2026
Reviewed
Jun 23, 2026
Last updated
Jun 23, 2026
The codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) can forward a prefix of a legitimate chunked-OHTTP message—cut at a non-final chunk boundary—and close the outer body cleanly, producing no decryption error and no exception in the receiving application.
References