Skip to main content

cpp-httplib CVE-2026-45352

| EUVDEUVD-2026-33425 MEDIUM
Improper Input Validation (CWE-20)
2026-05-29 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
May 29, 2026 - 21:02 EUVD
Analysis Generated
May 29, 2026 - 19:47 vuln.today

DescriptionGitHub Advisory

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.

AnalysisAI

Unbounded memory allocation in cpp-httplib prior to 0.43.4 allows remote unauthenticated attackers to crash the hosting process via a crafted HTTP request using chunked Transfer-Encoding with a negative chunk-size value. The root cause is a silent unsigned wrap-around in strtoul() that bypasses the library's incomplete size guard, causing chunk_remaining to be set to a near-maximum 64-bit value and forcing the server's read loop to attempt consuming that many bytes from the network. No active exploitation has been confirmed (no CISA KEV listing); no public exploit identified at time of analysis.

Technical ContextAI

cpp-httplib (cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*) is a widely embedded C++11 single-file header-only library used for HTTP/HTTPS functionality across platforms. The vulnerability resides in ChunkedDecoder::read_payload (httplib.h, around line 12833), which parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign and performs unsigned wrap-around: for example, strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard rejects the exact value ULONG_MAX - produced by "-1" - but any other negative chunk-size string such as "-2" passes validation unchallenged. The resulting near-maximum value is stored in chunk_remaining, directing the read loop to attempt consuming ~18.4 exabytes from the socket, causing unbounded memory allocation and ultimately a process crash. The root cause class is CWE-20 (Improper Input Validation): the validation logic incorrectly assumes strtoul cannot return large values for semantically negative inputs.

RemediationAI

The vendor-released patch is cpp-httplib version 0.43.4, which addresses the incomplete strtoul guard in ChunkedDecoder::read_payload. Projects using the library via a package manager should upgrade to 0.43.4 or later immediately. Projects that vendored httplib.h directly must manually replace the header file with the patched version from the 0.43.4 release tag. The advisory is at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h6wq-j5mv-f3q8. If an immediate upgrade is not possible, a compensating control is to place a reverse proxy or WAF in front of the cpp-httplib server configured to reject HTTP requests with chunk-size values that are not valid unsigned hexadecimal integers (i.e., block any chunk-size field containing a leading minus sign); this adds a parsing layer before the vulnerable code is reached, though it introduces proxy infrastructure overhead and may not be feasible for embedded deployments. Another option for server implementations is to limit maximum chunk size at the network layer, though this does not address the root input validation flaw.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed
openSUSE Leap 16.0 Fixed

Share

CVE-2026-45352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy