NIXPKGS-2026-0629
GitHub issue
published on 13 Mar 2026
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
2 packages
- capnproto-java
- capnproto-rust
- @LeSuisse accepted
- @LeSuisse published on GitHub
Cap'n Proto has an integer overflow in KJ-HTTP
Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instead. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.
References
-
https://github.com/capnproto/capnproto/security/advisories/GHSA-qjx3-pp3m-9jpm x_refsource_CONFIRM
-
https://capnproto.org/capnproto-c++-1.4.0.tar.gz x_refsource_MISC
-
https://capnproto.org/capnproto-c++-win32-1.4.0.zip x_refsource_MISC
Affected products
capnproto
- ==< 1.4.0
Matching in nixpkgs
Ignored packages (2)
pkgs.capnproto-java
Cap'n Proto codegen plugin for Java
Package maintainers
-
@lf- Jade Lovelace
-
@9999years Rebecca Turner <rbt@fastmail.com>
-
@RaitoBezarius Ryan Lahfa <ryan@lahfa.xyz>
-
@Qyriad Qyriad <qyriad@qyriad.me>
-
@alois31 Alois Wohlschlager <alois1@gmx-topmail.de>