Описание
A flaw was found in the KJ-HTTP component of Cap’n Proto when processing HTTP messages that use Transfer-Encoding: chunked. If a chunk size is parsed as a value equal to or greater than 2^64, the value may be truncated when converted to a 64-bit integer. An attacker could exploit this behavior by sending specially crafted HTTP messages containing excessively large chunk sizes. This may cause incorrect interpretation of HTTP message boundaries and could theoretically enable HTTP request or response smuggling in applications that rely on the affected HTTP implementation.
Отчет
This issue is rated Moderate severity by Red Hat Product Security, because exploitation requires specially crafted malformed HTTP requests containing extremely large chunk size values that exceed normal protocol limits. Such requests are not generated by typical HTTP clients and may be rejected by intermediary infrastructure such as reverse proxies or load balancers before reaching the affected parser. Additionally, meaningful exploitation generally depends on differences in how multiple HTTP components interpret malformed chunked encoding values. Because these conditions require non-standard inputs and specific deployment configurations, the attack complexity is considered High. The potential impact is limited to inconsistencies in HTTP request parsing that could enable limited request smuggling scenarios, without directly causing service crashes or enabling arbitrary code execution.
Меры по смягчению последствий
Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | capnproto | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.
Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0.
Cap'n Proto is a data interchange format and capability-based RPC syst ...
EPSS
4.8 Medium
CVSS3