Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue.
Analysis
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue.
Technical ContextAI
A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400).
RemediationAI
A vendor patch is available — apply it immediately. Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.
More in Cpp Httplib
View allcpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allow
CVE-2025-53628 is a memory exhaustion vulnerability in cpp-httplib versions prior to 0.20.1 that allows unauthenticated
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Rated high severity (CVSS 7.5), this vulnerabilit
CVE-2025-53629 is a Denial of Service vulnerability in cpp-httplib versions prior to 0.23.0 that allows unauthenticated
cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decom
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]
Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request bo
cpp-httplib through 0.5.8 does not filter \r\n in parameters passed into the set_redirect and set_header functions, whic
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server process
A security vulnerability in cpp-httplib (CVSS 5.3) that allows attacker-controlled http headers. Risk factors: public Po
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]
Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerable to CRLF Injection when untrusted user input is
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| plucky | ignored | end of life, was needs-triage |
| jammy | needed | - |
| noble | needed | - |
| upstream | released | 0.22.0 |
| oracular | ignored | end of life, was needs-triage |
| questing | needed | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | fixed | 0.11.4+ds-1+deb12u1 | - |
| forky, sid, trixie | fixed | 0.18.7-1 | - |
| (unstable) | not-affected | - | - |
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Package Hub 15 SP6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-19196