Cap'n Proto CVE-2023-48230

97 views

Skip to first unread message

Kenton Varda

unread,

Nov 21, 2023, 2:25:25 PM11/21/23

to capnproto...@googlegroups.com

Hello capnproto-announce,

We discovered a bug in Cap'n Proto 1.0 affecting the KJ HTTP library (which is bundled with Cap'n Proto), allowing a remote attacker to cause a crash if the library is configured to allow WebSocket compression and the application accepts / initiates WebSockets.

I suspect no one uses this configuration except for workerd (the Cloudflare Workers Runtime). Most Cap'n Proto users do not use KJ HTTP, much less configure it to enable WebSocket compression. Nevertheless, I have published a security release.

For more details, see:

https://github.com/capnproto/capnproto/security/advisories/GHSA-r89h-f468-62w3

-Kenton

Reply all

Reply to author

Forward

0 new messages