Cap'n Proto CVE-2023-48230

59 views
Skip to first unread message

Kenton Varda

unread,
Nov 21, 2023, 2:25:25 PM11/21/23
to capnproto...@googlegroups.com
Hello capnproto-announce,

We discovered a bug in Cap'n Proto 1.0 affecting the KJ HTTP library (which is bundled with Cap'n Proto), allowing a remote attacker to cause a crash if the library is configured to allow WebSocket compression and the application accepts / initiates WebSockets.

I suspect no one uses this configuration except for workerd (the Cloudflare Workers Runtime). Most Cap'n Proto users do not use KJ HTTP, much less configure it to enable WebSocket compression. Nevertheless, I have published a security release.

For more details, see:

-Kenton
Reply all
Reply to author
Forward
0 new messages