Normalmaurer

**Name of the Vulnerable Software and Affected Versions** netty incubator codec-ohttp versions prior to 0.0.22.Final **Description** The codec-ohttp implementation of draft-ietf-ohai-chunked-ohttp fails to verify the receipt of a cryptographically-signed final chunk before the outer HTTP body terminates. This allows an on-path adversary, such as the OHTTP relay or a man-in-the-middle on the relay-gateway or relay-client transport, to forward a prefix of a legitimate chunked-OHTTP message cut at a non-final chunk boundary and close the outer body cleanly. This action results in no decryption error or exception within the receiving application. **Recommendations** Update to version 0.0.22.Final.