Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.20.1, cpp-httplib does not have a limit for a unique line, permitting an attacker to explore this to allocate memory arbitrarily. This vulnerability is fixed in 0.20.1. NOTE: This vulnerability is related to CVE-2025-53629.
AnalysisAI
CVE-2025-53628 is a memory exhaustion vulnerability in cpp-httplib versions prior to 0.20.1 that allows unauthenticated remote attackers to cause denial of service by sending HTTP requests with arbitrarily large individual header lines, exploiting the absence of per-line size limits. The vulnerability affects any application using cpp-httplib as a C++ HTTP/HTTPS library component and requires only user interaction (UI:R) to trigger, with high impact across confidentiality, integrity, and availability. No active exploitation in the wild has been confirmed, but the fix availability and related CVE-2025-53629 suggest this was discovered during security review rather than active exploitation.
Technical ContextAI
cpp-httplib is a C++11 single-file, header-only HTTP/HTTPS library providing cross-platform HTTP client/server functionality. The vulnerability resides in the HTTP header parsing logic, where the library fails to enforce maximum length constraints on individual header lines during request processing. This falls under CWE-770 (Allocation of Resources Without Limits or Throttling), a classic resource exhaustion category where unbounded allocation occurs. Unlike typical HTTP implementations that define RFC 7230-compliant limits (commonly 8KB per header line), cpp-httplib's parser accepts lines of arbitrary length, allowing an attacker to construct requests with megabyte or gigabyte-sized single headers. When the library attempts to allocate memory for these oversized lines, it can exhaust heap memory, crash the process, or degrade performance. The affected CPE would be: cpe:2.3:a:cpp-httplib:cpp-httplib:*:*:*:*:*:*:*:* with versions <0.20.1.
RemediationAI
Upgrade cpp-httplib to version 0.20.1 or later. Since cpp-httplib is header-only, update the header files in your project and recompile.; specificity: Version 0.20.1 includes fixes for CVE-2025-53628 (per-line limits) and related CVE-2025-53629 Workaround (Temporary): Implement a reverse proxy or load balancer (nginx, HAProxy, AWS ALB) in front of applications using cpp-httplib, configured with strict header size limits (e.g., nginx: client_max_header_size 8k; client_header_buffer_size 1k). This prevents oversized headers from reaching the vulnerable library.; effectiveness: High, but does not address direct client-to-server connections Defense-in-Depth: Restrict HTTP access to trusted networks or implement rate limiting on header reception. Monitor process memory usage for anomalous growth during HTTP request parsing.; effectiveness: Medium; mitigates but does not eliminate risk
More in Cpp Httplib
View allcpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Rated high severity (CVSS 7.5), this vulnerabilit
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http head
CVE-2025-53629 is a Denial of Service vulnerability in cpp-httplib versions prior to 0.23.0 that allows unauthenticated
cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decom
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]
Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request bo
cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, whic
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server process
A security vulnerability in cpp-httplib (CVSS 5.3) that allows attacker-controlled http headers. Risk factors: public Po
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]
Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is
Same technique Information Disclosure
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | needed | - |
| noble | needed | - |
| plucky | ignored | end of life, was needs-triage |
| upstream | released | 0.20.1 |
| questing | needed | - |
Debian
Bug #1109340| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 0.11.4+ds-1+deb12u1 | - |
| forky, sid, trixie | vulnerable | 0.18.7-1 | - |
| experimental | fixed | 0.25.0+ds-1 | - |
| (unstable) | fixed | (unfixed) | - |
SUSE
Severity: High| Product | Status |
|---|---|
| Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.29 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd | Affected |
| Container suse/sl-micro/6.0/toolbox:13.2-9.1 | Affected |
| SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Package Hub 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-21053