What is the CVSS score of CVE-2025-46728?

CVE-2025-46728 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 1.0%.

Which versions of Cpp Httplib are affected by CVE-2025-46728?

Organizations using cpp-httplib face notable risk from CVE-2025-46728, a resource exhaustion vulnerability rated CVSS 7.5.. A patch is available.

Is there a public PoC exploit available for CVE-2025-46728?

Yes, a public proof-of-concept exploit is available for CVE-2025-46728. Prioritise patching immediately. EPSS: 1.0%.

How to fix or mitigate CVE-2025-46728?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Vendor patch is available.

Cpp Httplib CVE-2025-46728

HIGH

Uncontrolled Resource Consumption (CWE-400)

2025-05-06 security-advisories@github.com

Denial Of Service Nginx Cpp Httplib Suse

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:40 vuln.today

Patch released

Mar 28, 2026 - 18:40 nvd

Patch available

PoC Detected

Aug 01, 2025 - 21:25 vuln.today

Public exploit code

CVE Published

May 06, 2025 - 01:15 nvd

HIGH 7.5

DescriptionNVD

cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when Transfer-Encoding: chunked is used or when no Content-Length header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the cpp-httplib application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.

AnalysisAI

cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when Transfer-Encoding: chunked is used or when no Content-Length header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the cpp-httplib application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code. Affected products include: Cpp-Httplib Project Cpp-Httplib. Version information: version 0.20.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.