Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.
AnalysisAI
Unbounded memory allocation in cpp-httplib prior to 0.43.4 allows remote unauthenticated attackers to crash the hosting process via a crafted HTTP request using chunked Transfer-Encoding with a negative chunk-size value. The root cause is a silent unsigned wrap-around in strtoul() that bypasses the library's incomplete size guard, causing chunk_remaining to be set to a near-maximum 64-bit value and forcing the server's read loop to attempt consuming that many bytes from the network. No active exploitation has been confirmed (no CISA KEV listing); no public exploit identified at time of analysis.
Technical ContextAI
cpp-httplib (cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*) is a widely embedded C++11 single-file header-only library used for HTTP/HTTPS functionality across platforms. The vulnerability resides in ChunkedDecoder::read_payload (httplib.h, around line 12833), which parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign and performs unsigned wrap-around: for example, strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard rejects the exact value ULONG_MAX - produced by "-1" - but any other negative chunk-size string such as "-2" passes validation unchallenged. The resulting near-maximum value is stored in chunk_remaining, directing the read loop to attempt consuming ~18.4 exabytes from the socket, causing unbounded memory allocation and ultimately a process crash. The root cause class is CWE-20 (Improper Input Validation): the validation logic incorrectly assumes strtoul cannot return large values for semantically negative inputs.
RemediationAI
The vendor-released patch is cpp-httplib version 0.43.4, which addresses the incomplete strtoul guard in ChunkedDecoder::read_payload. Projects using the library via a package manager should upgrade to 0.43.4 or later immediately. Projects that vendored httplib.h directly must manually replace the header file with the patched version from the 0.43.4 release tag. The advisory is at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h6wq-j5mv-f3q8. If an immediate upgrade is not possible, a compensating control is to place a reverse proxy or WAF in front of the cpp-httplib server configured to reject HTTP requests with chunk-size values that are not valid unsigned hexadecimal integers (i.e., block any chunk-size field containing a leading minus sign); this adds a parsing layer before the vulnerable code is reached, though it introduces proxy infrastructure overhead and may not be feasible for embedded deployments. Another option for server implementations is to limit maximum chunk size at the network layer, though this does not address the root input validation flaw.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 16.0 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33425