Skip to main content

Cpp Httplib EUVD-2025-21055

| CVE-2025-53629 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2025-07-10 security-advisories@github.com
Denial Of Service Cpp Httplib Suse
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21055
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
Patch released
Mar 16, 2026 - 06:52 nvd
Patch available
PoC Detected
Aug 06, 2025 - 18:09 vuln.today
Public exploit code
CVE Published
Jul 10, 2025 - 20:15 nvd
HIGH 7.5

DescriptionGitHub Advisory

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.23.0, incoming requests using Transfer-Encoding: chunked in the header can allocate memory arbitrarily in the server, potentially leading to its exhaustion. This vulnerability is fixed in 0.23.0. NOTE: This vulnerability is related to CVE-2025-53628.

AnalysisAI

CVE-2025-53629 is a Denial of Service vulnerability in cpp-httplib versions prior to 0.23.0 that allows unauthenticated remote attackers to exhaust server memory through maliciously crafted HTTP requests using Transfer-Encoding: chunked headers. The vulnerability has a CVSS score of 7.5 (high severity) with a network-based attack vector requiring no authentication, and is fixed in version 0.23.0. This is a resource exhaustion attack with direct availability impact and no known public exploit code referenced in initial disclosures.

Technical ContextAI

cpp-httplib is a lightweight, header-only C++11 HTTP/HTTPS client and server library designed for cross-platform use. The vulnerability exploits improper handling of the Transfer-Encoding: chunked HTTP/1.1 protocol feature, which allows request bodies to be sent in variable-sized chunks with a final zero-length chunk marking the end. The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating the library fails to implement adequate bounds checking or resource limits when processing chunked transfer encoding. During chunk processing, the server allocates memory to buffer incoming data without proper validation of total allocation size, allowing an attacker to trigger arbitrary memory allocation by sending a series of large chunk declarations. The vulnerability is related to CVE-2025-53628, suggesting a broader class of Transfer-Encoding handling issues in this library.

RemediationAI

Immediate remediation: Upgrade cpp-httplib to version 0.23.0 or later. For organizations unable to immediately upgrade, implement the following mitigations: (1) Deploy network-level request filtering to limit chunk sizes and total request body sizes before they reach the application; (2) Configure web application firewalls (WAF) to reject Transfer-Encoding: chunked requests or enforce strict chunk size limits; (3) Implement application-level timeouts and memory monitoring to detect resource exhaustion attacks and gracefully reject oversized requests; (4) Apply rate limiting to incoming HTTP requests to reduce attack feasibility; (5) Monitor system memory usage patterns for anomalous allocation spikes. Vendor patch source: Upgrade to cpp-httplib release 0.23.0 or newer from the official repository (https://github.com/yhirose/cpp-httplib). The fix is expected to implement proper bounds checking and resource limits on chunked transfer encoding processing.

Vendor StatusVendor

Ubuntu

Priority: Medium
cpp-httplib
Release Status Version
jammy needed -
noble needed -
upstream released 0.23.0
questing needed -
plucky ignored end of life, was needs-triage

Debian

Bug #1109340
cpp-httplib
Release Status Fixed Version Urgency
bookworm vulnerable 0.11.4+ds-1+deb12u1 -
forky, sid, trixie vulnerable 0.18.7-1 -
experimental fixed 0.25.0+ds-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: High
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.29 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Container suse/sl-micro/6.0/toolbox:13.2-9.1 Affected
SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Package Hub 15 SP6 Fixed
openSUSE Leap 15.6 Fixed

Share

EUVD-2025-21055 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy