CVE-2026-48480: CWE-325: Missing Cryptographic Step in netty netty-incubator-codec-ohttp
CVE-2026-48480 is a vulnerability in netty-incubator-codec-ohttp versions prior to 0. 0. 22. Final where the implementation fails to verify receipt of a cryptographically-signed final chunk before the outer HTTP body ends. This allows an on-path adversary, such as a man-in-the-middle or the OHTTP relay itself, to truncate a legitimate chunked-OHTTP message at a non-final chunk boundary and close the outer body cleanly without triggering decryption errors or exceptions. The issue is fixed in version 0. 0. 22. Final.
AI Analysis
Technical Summary
The netty-incubator-codec-ohttp library, a Java binary HTTP parser, had a missing cryptographic verification step in its chunked-OHTTP implementation before version 0.0.22.Final. Specifically, it did not confirm that the final cryptographically-signed chunk was received before the HTTP body terminated. This flaw enables an on-path attacker to forward only a prefix of a legitimate chunked-OHTTP message, truncated at a non-final chunk boundary, and close the outer HTTP body without causing decryption errors or exceptions in the client application. The vulnerability is identified as CWE-325 (Missing Cryptographic Step) and has a CVSS 4.0 score of 6.6 (medium severity). The issue is resolved in version 0.0.22.Final.
Potential Impact
An on-path adversary, including the OHTTP relay or any man-in-the-middle on the relay-to-gateway or relay-to-client transport, can exploit this vulnerability to truncate chunked-OHTTP messages without detection. This could lead to incomplete or manipulated data being processed by the receiving application without triggering errors or exceptions, potentially undermining message integrity and confidentiality guarantees provided by the cryptographic protocol.
Mitigation Recommendations
Upgrade netty-incubator-codec-ohttp to version 0.0.22.Final or later, where this vulnerability is fixed. Since no official remediation level or patch links are provided beyond this version update, applying this version is the recommended mitigation. Patch status is confirmed by the versioning information in the description.
CVE-2026-48480: CWE-325: Missing Cryptographic Step in netty netty-incubator-codec-ohttp
Description
CVE-2026-48480 is a vulnerability in netty-incubator-codec-ohttp versions prior to 0. 0. 22. Final where the implementation fails to verify receipt of a cryptographically-signed final chunk before the outer HTTP body ends. This allows an on-path adversary, such as a man-in-the-middle or the OHTTP relay itself, to truncate a legitimate chunked-OHTTP message at a non-final chunk boundary and close the outer body cleanly without triggering decryption errors or exceptions. The issue is fixed in version 0. 0. 22. Final.
CVSS v4.0
Score 6.6medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The netty-incubator-codec-ohttp library, a Java binary HTTP parser, had a missing cryptographic verification step in its chunked-OHTTP implementation before version 0.0.22.Final. Specifically, it did not confirm that the final cryptographically-signed chunk was received before the HTTP body terminated. This flaw enables an on-path attacker to forward only a prefix of a legitimate chunked-OHTTP message, truncated at a non-final chunk boundary, and close the outer HTTP body without causing decryption errors or exceptions in the client application. The vulnerability is identified as CWE-325 (Missing Cryptographic Step) and has a CVSS 4.0 score of 6.6 (medium severity). The issue is resolved in version 0.0.22.Final.
Potential Impact
An on-path adversary, including the OHTTP relay or any man-in-the-middle on the relay-to-gateway or relay-to-client transport, can exploit this vulnerability to truncate chunked-OHTTP messages without detection. This could lead to incomplete or manipulated data being processed by the receiving application without triggering errors or exceptions, potentially undermining message integrity and confidentiality guarantees provided by the cryptographic protocol.
Mitigation Recommendations
Upgrade netty-incubator-codec-ohttp to version 0.0.22.Final or later, where this vulnerability is fixed. Since no official remediation level or patch links are provided beyond this version update, applying this version is the recommended mitigation. Patch status is confirmed by the versioning information in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-21T15:33:08.290Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a21c501e29bf47b50c32a5c
Added to database: 6/4/2026, 6:33:37 PM
Last enriched: 6/4/2026, 6:48:34 PM
Last updated: 6/4/2026, 7:38:56 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.