Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
Cap'n Proto truncates large chunked transfer requests
CVE-2026-32240
Summary
If a large file is sent, it may be cut off, potentially allowing an attacker to trick the server into accepting malicious data. This issue is fixed in version 1.4.0, so update to that version to resolve the problem.
Original title
Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be t...
Original description
Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.
nvd CVSS4.0
6.3
Vulnerability type
CWE-197
CWE-444
- https://capnproto.org/capnproto-c++-1.4.0.tar.gz
- https://capnproto.org/capnproto-c++-win32-1.4.0.zip
- https://github.com/capnproto/capnproto/commit/2744b3c012b4aa3c31cefb61ec656829fa...
- https://github.com/capnproto/capnproto/commit/e929f0ba7901a6b8f4b5ba9a4db00af432...
- https://github.com/capnproto/capnproto/security/advisories/GHSA-vpcq-mx5v-32wm
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026