Nixpkgs Security Tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: capnproto

Found 2 matching suggestions

Published
Permalink CVE-2026-32239
updated 9 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 day ago
  • @LeSuisse removed
    2 packages
    • capnproto-java
    • capnproto-rust
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Cap'n Proto has an integer overflow in KJ-HTTP

Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instead. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.

References

Affected products

capnproto
  • ==< 1.4.0

Matching in nixpkgs

Ignored packages (2)

Package maintainers

Upstream advisory: https://github.com/capnproto/capnproto/security/advisories/GHSA-qjx3-pp3m-9jpm
Published
Permalink CVE-2026-32240
updated 9 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 day ago
  • @LeSuisse removed
    2 packages
    • capnproto-java
    • capnproto-rust
    9 hours ago
  • @LeSuisse accepted 9 hours ago
  • @LeSuisse published on GitHub 9 hours ago
Cap'n Proto: Integer overflow in KJ-HTTP chunk size

Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.

References

Affected products

capnproto
  • ==< 1.4.0

Matching in nixpkgs

Ignored packages (2)

Package maintainers

Upstream advisory: https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm