NIXPKGS-2026-0626
GitHub issue
published on 13 Mar 2026
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
2 packages
- capnproto-java
- capnproto-rust
- @LeSuisse accepted
- @LeSuisse published on GitHub
Cap'n Proto: Integer overflow in KJ-HTTP chunk size
Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.
References
-
https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm x_refsource_CONFIRM
-
https://capnproto.org/capnproto-c++-1.4.0.tar.gz x_refsource_MISC
-
https://capnproto.org/capnproto-c++-win32-1.4.0.zip x_refsource_MISC
Affected products
capnproto
- ==< 1.4.0
Matching in nixpkgs
Ignored packages (2)
pkgs.capnproto-java
Cap'n Proto codegen plugin for Java
Package maintainers
-
@lf- Jade Lovelace
-
@9999years Rebecca Turner <rbt@fastmail.com>
-
@RaitoBezarius Ryan Lahfa <ryan@lahfa.xyz>
-
@Qyriad Qyriad <qyriad@qyriad.me>
-
@alois31 Alois Wohlschlager <alois1@gmx-topmail.de>