The vulnerability arises from the OHttpVersionChunkDraft implementation in Netty's incubator codec, which fails to enforce the receipt of a cryptographically‑signed final chunk before terminating the outer HTTP body. This omission allows an attacker to forward only a prefix of a legitimate chunked‑OHTTP message, cut at a boundary that is not the final chunk, and then close the outer body gracefully. The receiving application processes the truncated data without raising an exception or decryption error, meaning the integrity of the message can be silently compromised. This issue is a classic example of CWE‑325, the improper use of a cryptographic primitive.

The flaw exists in the Netty Netty Incubator Codec OHttp package, specifically in versions prior to 0.0.22.Final. Any deployment of the codec‑ohttp library before that release is susceptible. Users should identify whether they are running the affected version and plan an upgrade accordingly.

The CVSS score of 6.6 indicates a medium severity for this weakness. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an on‑path adversary—such as a malicious OHTTP relay or a man‑in‑the‑middle on the relay‑to‑gateway or relay‑to‑client transport—who can manipulate the stream to perform the truncation. Because the attack requires network proximity and the ability to modify the payload stream, it is considered a remote but path‑dependent exploit. The lack of detection mechanisms in the library means that the compromise can remain hidden from the application side, increasing the potential impact of the attack.