304181 2025-12-15 07:32:38 -0800 Incorrect handling of invalid UTF-8 in streaming decoder 2025-12-16 20:23:53 -0800 1 1 1 Unclassified WebKit Platform WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=233921 https://github.com/web-platform-tests/wpt/pull/56799 InRadar P2 Normal --- 1 chalkerx darin annevk ap cdumez darin ntim webkit-bug-importer oldest_to_newest 2165907 0 chalkerx 2025-12-15 07:32:38 -0800 ```js > const x = Uint8Array.of(0xf0, 0xc3, 0x80, 42) > new TextDecoder().decode(x) // valid '�À*' > const d = new TextDecoder(); > [d.decode(x.subarray(0, 1), { stream: true }), d.decode(x.subarray(1), { stream: true }), d.decode()].join('') // invalid '�À�' ``` See https://issues.chromium.org/issues/468458744, WebKit is also affected This is already public but has security implications utf8 decoder is affected by the structure of underlying memory chunks Anything checking signatures / computing hashes etc is not affected by that Responses with the exact same bytes are decoded differently depending on network timing and chunking, and could potentially be affected by a MitM to trigger decoding to different data, without affecting TLS See a live demo at https://tmp-demo.rray.org/utf-8 2166110 1 webkit-bug-importer 2025-12-15 18:51:37 -0800 <rdar://problem/166583808> 2166112 2 darin 2025-12-15 18:55:32 -0800 Pull request: https://github.com/WebKit/WebKit/pull/55452 2166115 3 chalkerx 2025-12-15 19:10:45 -0800 To clarify in addition to the title change: this does not only affect `TextDecoder` This also affects `await res.text()` in fetch, and it also affects page/resource loads (as seen in the live demo - that's a plain html decoding differently) 2166143 4 ews-feeder 2025-12-15 21:36:12 -0800 Committed 304496@main (ab37a057cd38): <https://commits.webkit.org/304496@main> Reviewed commits have been landed. Closing PR #55452 and removing active labels. 2166506 5 ntim 2025-12-16 20:23:53 -0800 https://github.com/web-platform-tests/wpt/pull/56799