NIXPKGS-2026-0629

GitHub issue published 3 months, 1 week ago

Permalink CVE-2026-32239

updated 3 months, 1 week ago by @LeSuisse Activity log

Created suggestion 3 months, 1 week ago
@LeSuisse ignored
2 packages
- capnproto-java
- capnproto-rust
3 months, 1 week ago
@LeSuisse accepted 3 months, 1 week ago
@LeSuisse published on GitHub 3 months, 1 week ago

Cap'n Proto has an integer overflow in KJ-HTTP

Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instead. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.

References

https://github.com/capnproto/capnproto/security/advisories/GHSA-qjx3-pp3m-9jpm x_refsource_CONFIRM
https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36 x_refsource_MISC
https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0 x_refsource_MISC
https://capnproto.org/capnproto-c++-1.4.0.tar.gz x_refsource_MISC
https://capnproto.org/capnproto-c++-win32-1.4.0.zip x_refsource_MISC

Affected products

capnproto

==< 1.4.0

Matching in nixpkgs

pkgs.capnproto

Cap'n Proto cerealization protocol

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0

Ignored packages (2)

pkgs.capnproto-java

Cap'n Proto codegen plugin for Java

nixos-unstable 0.1.16
- nixpkgs-unstable 0.1.16
- nixos-unstable-small 0.1.16

pkgs.capnproto-rust

Cap'n Proto codegen plugin for Rust

nixos-unstable 0.25.0
- nixpkgs-unstable 0.25.0
- nixos-unstable-small 0.25.0

Package maintainers

@lf- Jade Lovelace
@9999years Rebecca Turner <rbt@fastmail.com>
@Qyriad Qyriad <qyriad@qyriad.me>
@RaitoBezarius Ryan Lahfa <ryan@lahfa.xyz>

Upstream advisory: https://github.com/capnproto/capnproto/security/advisories/GHSA-qjx3-pp3m-9jpm

Nixpkgs security tracker

Details of issue NIXPKGS-2026-0629