Cap'n Proto KJ-HTTP Library Integer Overflow Vulnerability in Chunked Transfer-Encoding Allowing HTTP Smuggling

A vulnerability exists in the KJ-HTTP library, which is part of the Cap'n Proto data interchange format and RPC system. Prior to version 1.4.0, the library had two integer overflow bugs related to HTTP message body sizes. When using 'Transfer-Encoding: chunked', if a chunk size parsed to 2^64 or larger, it would be truncated to a 64-bit integer. This could theoretically enable HTTP request/response smuggling, especially if integrated with a proxy that has its own bugs. Cap'n Proto itself does not use or link against KJ-HTTP, but the vulnerability could impact applications using KJ-HTTP, such as the open-source version of the Cloudflare Workers Runtime, 'workerd', under certain conditions.

Impact

Exploitation could lead to HTTP request/response smuggling, allowing an attacker to manipulate the way HTTP messages are interpreted by the server or client, potentially causing desynchronization or other unexpected behavior.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with 'Transfer-Encoding: chunked' and a chunk size that exceeds 2^64. This can be done using a tool or script that allows for custom HTTP headers and chunked transfer encoding. The server must be one that uses KJ-HTTP and is vulnerable to the chunk size overflow.

Remediation

Users of the KJ-HTTP library should update to Cap'n Proto version 1.4.0, which includes the necessary fix. Instructions for downloading this version are available on the Cap'n Proto website.