Cpp Httplib
Monthly
cpp-httplib versions before 0.37.2 silently disable TLS certificate validation when following HTTPS redirects through a proxy, allowing attackers to intercept encrypted connections without detection. This affects any application using cpp-httplib as an HTTP client with proxy and redirect following enabled. No active exploitation (not in KEV) or public POC has been reported, with low EPSS probability indicating minimal current threat activity.
cpp-httplib versions prior to 0.37.1 crash when the streaming API receives a malformed Content-Length header from any server, as the library fails to validate or handle exceptions from the underlying string parsing function. An attacker can exploit this denial of service condition by hosting a malicious server, performing a man-in-the-middle attack, or leveraging HTTP redirects to crash any client application using the vulnerable library. Currently no patch is available for this issue.
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server processes by submitting HTTP POST requests with maliciously crafted RFC 5987 filename* parameters that trigger catastrophic backtracking in the regex parser. The vulnerability exploits the recursive stack-based implementation of libstdc++'s regex engine, causing uncontrolled stack growth and stack overflow. Public exploit code exists for this vulnerability.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]
cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decompressed HTTP request body sizes. An unauthenticated remote attacker can send a malicious gzip or brotli-compressed request that decompresses to an arbitrarily large payload in memory, exhausting server resources. Public exploit code exists for this vulnerability, and a patch is available in version 0.30.1 and later.
Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack (CVSS 7.5).
A security vulnerability in cpp-httplib (CVSS 5.3) that allows attacker-controlled http headers. Risk factors: public PoC available. Vendor patch is available.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0.
CVE-2025-53629 is a Denial of Service vulnerability in cpp-httplib versions prior to 0.23.0 that allows unauthenticated remote attackers to exhaust server memory through maliciously crafted HTTP requests using Transfer-Encoding: chunked headers. The vulnerability has a CVSS score of 7.5 (high severity) with a network-based attack vector requiring no authentication, and is fixed in version 0.23.0. This is a resource exhaustion attack with direct availability impact and no known public exploit code referenced in initial disclosures.
CVE-2025-53628 is a memory exhaustion vulnerability in cpp-httplib versions prior to 0.20.1 that allows unauthenticated remote attackers to cause denial of service by sending HTTP requests with arbitrarily large individual header lines, exploiting the absence of per-line size limits. The vulnerability affects any application using cpp-httplib as a C++ HTTP/HTTPS library component and requires only user interaction (UI:R) to trigger, with high impact across confidentiality, integrity, and availability. No active exploitation in the wild has been confirmed, but the fix availability and related CVE-2025-53629 suggest this was discovered during security review rather than active exploitation.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue.
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
cpp-httplib version v0.17.3 through v0.18.3 fails to filter CRLF characters ("\r\n") when those are prefixed with a null byte. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
cpp-httplib versions before 0.37.2 silently disable TLS certificate validation when following HTTPS redirects through a proxy, allowing attackers to intercept encrypted connections without detection. This affects any application using cpp-httplib as an HTTP client with proxy and redirect following enabled. No active exploitation (not in KEV) or public POC has been reported, with low EPSS probability indicating minimal current threat activity.
cpp-httplib versions prior to 0.37.1 crash when the streaming API receives a malformed Content-Length header from any server, as the library fails to validate or handle exceptions from the underlying string parsing function. An attacker can exploit this denial of service condition by hosting a malicious server, performing a man-in-the-middle attack, or leveraging HTTP redirects to crash any client application using the vulnerable library. Currently no patch is available for this issue.
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server processes by submitting HTTP POST requests with maliciously crafted RFC 5987 filename* parameters that trigger catastrophic backtracking in the regex parser. The vulnerability exploits the recursive stack-based implementation of libstdc++'s regex engine, causing uncontrolled stack growth and stack overflow. Public exploit code exists for this vulnerability.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]
cpp-httplib versions prior to 0.30.1 are vulnerable to denial of service attacks due to insufficient validation of decompressed HTTP request body sizes. An unauthenticated remote attacker can send a malicious gzip or brotli-compressed request that decompresses to an arbitrarily large payload in memory, exhausting server resources. Public exploit code exists for this vulnerability, and a patch is available in version 0.30.1 and later.
Cpp-Httplib versions up to 0.30.0 contains a vulnerability that allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack (CVSS 7.5).
A security vulnerability in cpp-httplib (CVSS 5.3) that allows attacker-controlled http headers. Risk factors: public PoC available. Vendor patch is available.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.27.0, a vulnerability allows attacker-controlled HTTP headers to influence server-visible metadata, logging, and authorization decisions. An attacker can inject headers named REMOTE_ADDR, REMOTE_PORT, LOCAL_ADDR, LOCAL_PORT that are parsed into the request header multimap via read_headers() in httplib.h (headers.emplace), then the server later appends its own internal metadata using the same header names in Server::process_request without erasing duplicates. Because Request::get_header_value returns the first entry for a header key (id == 0) and the client-supplied headers are parsed before server-inserted headers, downstream code that uses these header names may inadvertently use attacker-controlled values. Affected files/locations: cpp-httplib/httplib.h (read_headers, Server::process_request, Request::get_header_value, get_header_value_u64) and cpp-httplib/docker/main.cc (get_client_ip, nginx_access_logger, nginx_error_logger). Attack surface: attacker-controlled HTTP headers in incoming requests flow into the Request.headers multimap and into logging code that reads forwarded headers, enabling IP spoofing, log poisoning, and authorization bypass via header shadowing. This vulnerability is fixed in 0.27.0.
CVE-2025-53629 is a Denial of Service vulnerability in cpp-httplib versions prior to 0.23.0 that allows unauthenticated remote attackers to exhaust server memory through maliciously crafted HTTP requests using Transfer-Encoding: chunked headers. The vulnerability has a CVSS score of 7.5 (high severity) with a network-based attack vector requiring no authentication, and is fixed in version 0.23.0. This is a resource exhaustion attack with direct availability impact and no known public exploit code referenced in initial disclosures.
CVE-2025-53628 is a memory exhaustion vulnerability in cpp-httplib versions prior to 0.20.1 that allows unauthenticated remote attackers to cause denial of service by sending HTTP requests with arbitrarily large individual header lines, exploiting the absence of per-line size limits. The vulnerability affects any application using cpp-httplib as a C++ HTTP/HTTPS library component and requires only user interaction (UI:R) to trigger, with high impact across confidentiality, integrity, and availability. No active exploitation in the wild has been confirmed, but the fix availability and related CVE-2025-53629 suggest this was discovered during security review rather than active exploitation.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue.
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
cpp-httplib version v0.17.3 through v0.18.3 fails to filter CRLF characters ("\r\n") when those are prefixed with a null byte. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.