Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-32240

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

Cap'n Proto: Integer overflow in KJ-HTTP chunk size

Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.

References

https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm x_refsource_CONFIRM
https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa5c0e36 x_refsource_MISC
https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af43288cbb0 x_refsource_MISC
https://capnproto.org/capnproto-c++-1.4.0.tar.gz x_refsource_MISC
https://capnproto.org/capnproto-c++-win32-1.4.0.zip x_refsource_MISC

Affected products

capnproto

==< 1.4.0

Matching in nixpkgs

pkgs.capnproto

Cap'n Proto cerealization protocol

nixos-unstable 1.2.0
- nixpkgs-unstable 1.2.0
- nixos-unstable-small 1.2.0
nixos-25.11 1.2.0
- nixos-25.11-small 1.2.0
- nixpkgs-25.11-darwin 1.2.0

pkgs.capnproto-java

Cap'n Proto codegen plugin for Java

nixos-unstable 0.1.16
- nixpkgs-unstable 0.1.16
- nixos-unstable-small 0.1.16
nixos-25.11 0.1.16
- nixos-25.11-small 0.1.16
- nixpkgs-25.11-darwin 0.1.16

pkgs.capnproto-rust

Cap'n Proto codegen plugin for Rust

nixos-unstable 0.25.0
- nixpkgs-unstable 0.25.0
- nixos-unstable-small 0.25.0
nixos-25.11 0.23.2
- nixos-25.11-small 0.23.2
- nixpkgs-25.11-darwin 0.23.2

Package maintainers

@9999years Rebecca Turner <rbt@fastmail.com>
@RaitoBezarius Ryan Lahfa <ryan@lahfa.xyz>
@alois31 Alois Wohlschlager <alois1@gmx-topmail.de>
@Qyriad Qyriad <qyriad@qyriad.me>
@lf- Jade Lovelace
@bhipple Benjamin Hipple <bhipple@protonmail.com>
@solson Scott Olson <scott@solson.me>
@mikroskeem Mark Vainomaa <mikroskeem@mikroskeem.eu>