Cap'n Proto KJ HTTP Library WebSocket Compression Buffer Underrun Denial-of-Service Vulnerability

A buffer underrun vulnerability has been identified in the Cap'n Proto KJ HTTP library, specifically in versions 1.0 and 1.0.1. When WebSocket compression is enabled, a remote peer can cause the underrun, which writes a constant, non-attacker-controlled value into a heap-allocated buffer. This behavior is likely to result in a crash, facilitating a remote denial-of-service attack. Although most users of Cap'n Proto and KJ are unlikely to have this feature enabled, it is suspected that the vulnerability affects only the Cloudflare Workers Runtime.

Impact

Exploitation of this vulnerability can lead to a buffer underrun on a heap-allocated buffer, causing a crash and enabling a remote denial-of-service attack.

Reproduction

The vulnerability can be reproduced by using the KJ HTTP library with WebSocket compression enabled. This can be done by negotiating compression in the WebSocket handshake and then sending a message that skips the compression, which triggers the buffer underrun by overwriting part of the memory allocator's state.

Remediation

Users can update to Cap'n Proto version 1.0.1.1, which is available for download as a Unix tarball or a Windows zip file.