Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Cap'n Proto allows malicious HTTP requests with fake sizes
CVE-2026-32239
Summary
A bug in Cap'n Proto versions before 1.4.0 allows malicious actors to send fake HTTP requests, potentially leading to security issues. This vulnerability has been fixed in version 1.4.0. To ensure security, update to the latest version of Cap'n Proto.
Original title
Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instea...
Original description
Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instead. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.
nvd CVSS4.0
6.3
Vulnerability type
CWE-190
Integer Overflow
CWE-444
- https://capnproto.org/capnproto-c++-1.4.0.tar.gz
- https://capnproto.org/capnproto-c++-win32-1.4.0.zip
- https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa...
- https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af432...
- https://github.com/capnproto/capnproto/security/advisories/GHSA-qjx3-pp3m-9jpm
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026