CVE-2026-48480
netty-incubator-codec-ohttp OHttpVersionChunkDraft's Missing Final-Chunk Enforcement Leads to Undetected Stream Truncation
Description
The netty incubator codec.bhttp is a java language binary http parser. Prior to version 0.0.22.FInal, the codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp does not verify that a cryptographically-signed final chunk was received before the outer HTTP body terminates. An on-path adversary (the OHTTP relay itself, or any MITM on the relay↔gateway or relay↔client transport) can forward a prefix of a legitimate chunked-OHTTP message—cut at a non-final chunk boundary—and close the outer body cleanly, producing no decryption error and no exception in the receiving application. Version 0.0.22.Final fixes the issue.
INFO
Published Date :
June 4, 2026, 5:39 p.m.
Last Modified :
June 4, 2026, 5:39 p.m.
Remotely Exploit :
No
Source :
GitHub_M
Solution
- Update netty incubator codec.bhttp to version 0.0.22.Final or later.
- Ensure the implementation verifies signed final chunks.
- Prevent early termination of the outer HTTP body.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-48480 vulnerability anywhere in the article.