CVE-2026-32239
Received Received - Intake
HTTP Request Smuggling via Negative Content-Length in Cap'n Proto

Publication date: 2026-03-12

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, a negative Content-Length value was converted to unsigned, treating it as an impossibly large length instead. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-18
Generated
2026-06-19
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-18
NVD
CVE-2026-32239
EUVD
EUVD-2026-11687
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
capnproto capnproto to 1.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32239 is a vulnerability in the KJ-HTTP library used by Cap'n Proto, involving improper handling of HTTP message body sizes."}, {'type': 'paragraph', 'content': 'Specifically, the library incorrectly handled negative Content-Length header values by converting them to large unsigned integers, causing an integer overflow. This could lead to processing an impossibly large HTTP body length.'}, {'type': 'paragraph', 'content': 'Additionally, the library allowed chunk sizes in Transfer-Encoding: chunked requests that could overflow a 64-bit unsigned integer, causing truncation and misinterpretation of chunk sizes.'}, {'type': 'paragraph', 'content': 'These bugs could theoretically enable HTTP request/response smuggling attacks if exploited, although exploitation requires additional vulnerabilities in HTTP proxies.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.4.0 by adding explicit validation to ensure Content-Length values are non-negative integers and by adding overflow checks when parsing chunk sizes.'}] [1, 3, 5]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can impact you by enabling HTTP request/response smuggling attacks if your system uses the vulnerable KJ-HTTP library and an HTTP proxy in the communication path improperly handles negative Content-Length values or excessively large chunk sizes.'}, {'type': 'paragraph', 'content': 'Such attacks could allow an attacker to bypass security controls, interfere with HTTP message parsing, or perform unauthorized actions by smuggling malicious requests or responses.'}, {'type': 'paragraph', 'content': 'However, exploitation requires a proxy that forwards these invalid values without rewriting them, and KJ-HTTP-based proxies themselves do not exhibit this behavior.'}, {'type': 'paragraph', 'content': "If you use only Cap'n Proto without KJ-HTTP, you are not affected. The primary known user of KJ-HTTP is the Cloudflare Workers Runtime, which is not impacted in production."}, {'type': 'paragraph', 'content': 'To mitigate risk, users of KJ-HTTP should update to version 1.4.0 or later where the vulnerability is fixed.'}] [3, 1, 5]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted HTTP requests that include either a negative Content-Length header or a chunked Transfer-Encoding header with an excessively large chunk size (β‰₯ 2^64). If the server or proxy is vulnerable, it may improperly process these requests.'}, {'type': 'paragraph', 'content': "To test detection, you can use commands that send HTTP requests with these invalid headers and observe the server's response. A vulnerable system might accept or mishandle these requests, while a patched system should reject them with a 500 Internal Server Error."}, {'type': 'list_item', 'content': 'Send an HTTP request with a negative Content-Length header, for example using curl or netcat:'}, {'type': 'list_item', 'content': 'curl -v -H "Content-Length: -1" http://target-server/'}, {'type': 'list_item', 'content': 'Send a chunked Transfer-Encoding request with an oversized chunk size (e.g., 0x10000000000000000):'}, {'type': 'list_item', 'content': 'Use a custom script or netcat to send a raw HTTP request with a chunk size header set to 0x10000000000000000 and observe if the server rejects it.'}, {'type': 'paragraph', 'content': 'If the server responds with a 500 Internal Server Error to these malformed requests, it indicates that the fix is in place. If it accepts or processes them incorrectly, the system may be vulnerable.'}] [1, 3, 5]

Mitigation Strategies

The primary immediate mitigation step is to update the KJ-HTTP library to version 1.4.0 or later, where this vulnerability is fixed.

If updating immediately is not possible, ensure that any HTTP proxies or intermediaries in your environment do not forward negative Content-Length headers or chunk sizes larger than 2^64 without validation or rewriting.

Additionally, monitor and filter incoming HTTP requests to reject those with invalid Content-Length or chunked Transfer-Encoding headers that could trigger this vulnerability.

Applying these steps will prevent potential HTTP request/response smuggling attacks that could arise from this integer overflow bug.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32239. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart