Cap'n Proto CVE-2023-48230

Skip to first unread message

Kenton Varda

Nov 21, 2023, 2:25:25 PM11/21/23
Hello capnproto-announce,

We discovered a bug in Cap'n Proto 1.0 affecting the KJ HTTP library (which is bundled with Cap'n Proto), allowing a remote attacker to cause a crash if the library is configured to allow WebSocket compression and the application accepts / initiates WebSockets.

I suspect no one uses this configuration except for workerd (the Cloudflare Workers Runtime). Most Cap'n Proto users do not use KJ HTTP, much less configure it to enable WebSocket compression. Nevertheless, I have published a security release.

For more details, see:

Reply all
Reply to author
0 new messages