HTTP Parser Vulnerability in Netty Incubator Codec by Netty
CVE-2026-48480
What is CVE-2026-48480?
The Netty Incubator Codec's binary HTTP parser, specifically the codec-ohttp implementation, has a significant security issue prior to version 0.0.22.Final. This vulnerability arises because it fails to verify the receipt of a cryptographically-signed final chunk before terminating the outer HTTP body. An on-path attacker, such as one controlling the OHTTP relay or any man-in-the-middle (MITM) in the communication, can exploit this flaw. They can forward a legitimate chunk of data prematurely, severing it at a non-final chunk boundary. As a result, the outer HTTP body can be closed without triggering decryption errors or exceptions in the receiving application, potentially leading to data exposure or unauthorized actions.
Affected Version(s)
netty-incubator-codec-ohttp < 0.0.22.Final
