4.5.78(May 2026)

Defects

The following are resolved in this build.

NXPSR-11329: If the Content-length of the HTTP request body is spoofed, PipedInputStream#read() will remain in a waiting state, causing the DefaultThreadPool to be exhausted.

The issue occurred when a request had an invalid Content-Length that did not match the actual data sent.

We have fixed this by checking the structural integrity of the protocol package before data enters the PipedInputStream. If a client sends an invalid length, the protocol package will be cut short and become incomplete. The server will immediately catch this broken structure at the entry point, return an error, and drop the connection.