How to fix EUVD-2025-21055?

Within 24 hours: Inventory all systems and applications using cpp-httplib and identify version numbers; notify development teams of the vulnerability. Within 7 days: Test and deploy version 0.23.0 or later across all affected development, staging, and production environments. Within 30 days: Verify patch deployment completion and validate remediation through security testing.

Is Cpp Httplib affected by EUVD-2025-21055?

Applications using cpp-httplib versions prior to 0.23.0 are vulnerable to denial-of-service attacks through memory exhaustion via malformed HTTP requests. This could render affected services unavailable to legitimate users and requires immediate patching to prevent operational disruption.

EUVD-2025-21055

| CVE-2025-53629 HIGH

2025-07-10 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21055

Patch Released

Mar 16, 2026 - 06:52 nvd

Patch available

PoC Detected

Aug 06, 2025 - 18:09 vuln.today

Public exploit code

CVE Published

Jul 10, 2025 - 20:15 nvd

HIGH 7.5

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.23.0, incoming requests using Transfer-Encoding: chunked in the header can allocate memory arbitrarily in the server, potentially leading to its exhaustion. This vulnerability is fixed in 0.23.0. NOTE: This vulnerability is related to CVE-2025-53628.

Analysis

CVE-2025-53629 is a Denial of Service vulnerability in cpp-httplib versions prior to 0.23.0 that allows unauthenticated remote attackers to exhaust server memory through maliciously crafted HTTP requests using Transfer-Encoding: chunked headers. The vulnerability has a CVSS score of 7.5 (high severity) with a network-based attack vector requiring no authentication, and is fixed in version 0.23.0. This is a resource exhaustion attack with direct availability impact and no known public exploit code referenced in initial disclosures.

Technical Context

cpp-httplib is a lightweight, header-only C++11 HTTP/HTTPS client and server library designed for cross-platform use. The vulnerability exploits improper handling of the Transfer-Encoding: chunked HTTP/1.1 protocol feature, which allows request bodies to be sent in variable-sized chunks with a final zero-length chunk marking the end. The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), indicating the library fails to implement adequate bounds checking or resource limits when processing chunked transfer encoding. During chunk processing, the server allocates memory to buffer incoming data without proper validation of total allocation size, allowing an attacker to trigger arbitrary memory allocation by sending a series of large chunk declarations. The vulnerability is related to CVE-2025-53628, suggesting a broader class of Transfer-Encoding handling issues in this library.

Affected Products

The vulnerability affects cpp-httplib (also known as cpp-httplib or cpp_httplib) in all versions prior to 0.23.0. Specific affected version ranges include: 0.1.x through 0.22.x. Typical CPE representation would be: cpe:2.3:a:cpp-httplib:cpp-httplib:*:*:*:*:*:*:*:* (versions < 0.23.0). The library is header-only and embedded directly in applications, meaning any C++ application statically linking or including cpp-httplib versions prior to 0.23.0 and exposing HTTP endpoints is affected. Common deployment scenarios include embedded web servers, microservices using cpp-httplib for HTTP handling, and cross-platform C++ applications with HTTP capabilities.

Remediation

Immediate remediation: Upgrade cpp-httplib to version 0.23.0 or later. For organizations unable to immediately upgrade, implement the following mitigations: (1) Deploy network-level request filtering to limit chunk sizes and total request body sizes before they reach the application; (2) Configure web application firewalls (WAF) to reject Transfer-Encoding: chunked requests or enforce strict chunk size limits; (3) Implement application-level timeouts and memory monitoring to detect resource exhaustion attacks and gracefully reject oversized requests; (4) Apply rate limiting to incoming HTTP requests to reduce attack feasibility; (5) Monitor system memory usage patterns for anomalous allocation spikes. Vendor patch source: Upgrade to cpp-httplib release 0.23.0 or newer from the official repository (https://github.com/yhirose/cpp-httplib). The fix is expected to implement proper bounds checking and resource limits on chunked transfer encoding processing.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: +20

Vendor Status

Ubuntu

Priority: Medium

cpp-httplib

Release	Status	Version
jammy	needed	-
noble	needed	-
upstream	released	0.23.0
questing	needed	-
plucky	ignored	end of life, was needs-triage

Debian

Bug #1109340

cpp-httplib

Release	Status	Fixed Version	Urgency
bookworm	vulnerable	0.11.4+ds-1+deb12u1	-
forky, sid, trixie	vulnerable	0.18.7-1	-
experimental	fixed	0.25.0+ds-1	-
(unstable)	fixed	(unfixed)	-

EUVD-2025-21055 vulnerability details – vuln.today

Back

EUVD-2025-21055

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2025-21055

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code