CVE-2026-32239
HTTP Request Smuggling via Negative Content-Length in Cap'n Proto
Publication date: 2026-03-12
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| capnproto | capnproto | to 1.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32239 is a vulnerability in the KJ-HTTP library used by Cap'n Proto, involving improper handling of HTTP message body sizes."}, {'type': 'paragraph', 'content': 'Specifically, the library incorrectly handled negative Content-Length header values by converting them to large unsigned integers, causing an integer overflow. This could lead to processing an impossibly large HTTP body length.'}, {'type': 'paragraph', 'content': 'Additionally, the library allowed chunk sizes in Transfer-Encoding: chunked requests that could overflow a 64-bit unsigned integer, causing truncation and misinterpretation of chunk sizes.'}, {'type': 'paragraph', 'content': 'These bugs could theoretically enable HTTP request/response smuggling attacks if exploited, although exploitation requires additional vulnerabilities in HTTP proxies.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 1.4.0 by adding explicit validation to ensure Content-Length values are non-negative integers and by adding overflow checks when parsing chunk sizes.'}] [1, 3, 5]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by enabling HTTP request/response smuggling attacks if your system uses the vulnerable KJ-HTTP library and an HTTP proxy in the communication path improperly handles negative Content-Length values or excessively large chunk sizes.'}, {'type': 'paragraph', 'content': 'Such attacks could allow an attacker to bypass security controls, interfere with HTTP message parsing, or perform unauthorized actions by smuggling malicious requests or responses.'}, {'type': 'paragraph', 'content': 'However, exploitation requires a proxy that forwards these invalid values without rewriting them, and KJ-HTTP-based proxies themselves do not exhibit this behavior.'}, {'type': 'paragraph', 'content': "If you use only Cap'n Proto without KJ-HTTP, you are not affected. The primary known user of KJ-HTTP is the Cloudflare Workers Runtime, which is not impacted in production."}, {'type': 'paragraph', 'content': 'To mitigate risk, users of KJ-HTTP should update to version 1.4.0 or later where the vulnerability is fixed.'}] [3, 1, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted HTTP requests that include either a negative Content-Length header or a chunked Transfer-Encoding header with an excessively large chunk size (β₯ 2^64). If the server or proxy is vulnerable, it may improperly process these requests.'}, {'type': 'paragraph', 'content': "To test detection, you can use commands that send HTTP requests with these invalid headers and observe the server's response. A vulnerable system might accept or mishandle these requests, while a patched system should reject them with a 500 Internal Server Error."}, {'type': 'list_item', 'content': 'Send an HTTP request with a negative Content-Length header, for example using curl or netcat:'}, {'type': 'list_item', 'content': 'curl -v -H "Content-Length: -1" http://target-server/'}, {'type': 'list_item', 'content': 'Send a chunked Transfer-Encoding request with an oversized chunk size (e.g., 0x10000000000000000):'}, {'type': 'list_item', 'content': 'Use a custom script or netcat to send a raw HTTP request with a chunk size header set to 0x10000000000000000 and observe if the server rejects it.'}, {'type': 'paragraph', 'content': 'If the server responds with a 500 Internal Server Error to these malformed requests, it indicates that the fix is in place. If it accepts or processes them incorrectly, the system may be vulnerable.'}] [1, 3, 5]
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the KJ-HTTP library to version 1.4.0 or later, where this vulnerability is fixed.
If updating immediately is not possible, ensure that any HTTP proxies or intermediaries in your environment do not forward negative Content-Length headers or chunk sizes larger than 2^64 without validation or rewriting.
Additionally, monitor and filter incoming HTTP requests to reject those with invalid Content-Length or chunked Transfer-Encoding headers that could trigger this vulnerability.
Applying these steps will prevent potential HTTP request/response smuggling attacks that could arise from this integer overflow bug.