The cpp-httplib, a C++11 single-file header-only cross-platform HTTP/HTTPS library known for its ease of setup, is facing a serious security vulnerability. A recently identified flaw, tracked as CVE-2025-46728, exposes applications using this library to potential Denial of Service (DoS) attacks.
“A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server,” warns the security advisory.
The core issue lies in how the library handles incoming request bodies, specifically when Transfer-Encoding: chunked is used or when the Content-Length header is absent. According to the security advisory, “The library fails to enforce configured size limits on incoming request bodies when Transfer-Encoding: chunked is used or when no Content-Length header is provided.” This oversight allows a remote attacker to exploit the server by sending a chunked request without the necessary terminating zero-length chunk.
By doing so, the attacker can trigger “uncontrolled memory allocation on the server,” ultimately leading to “potential exhaustion of system memory” and causing the server to crash or become unresponsive. The vulnerability stems from the read_content_chunked function, which continuously reads incoming chunks without limiting the total accumulated size. As the advisory explains, “An attacker can maintain the connection and send unlimited chunk data without the terminating chunk, forcing unbounded memory allocation.”
The impact of this vulnerability is significant. It can lead to a full Denial of Service, where “The server process will consume excessive memory until it crashes or becomes unresponsive.” In multi-tenant systems, this can have a cascading effect, causing “Resource Exhaustion” and impacting other applications by consuming system resources.
The affected versions of cpp-httplib are 0.20.0 and earlier. Users are strongly advised to update to the patched version, 0.20.1, to mitigate this vulnerability.
For those unable to update immediately, the advisory suggests a short-term workaround:
- “If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the cpp-httplib application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.”
The ultimate solution, of course, is to apply the “Code fix. Enforce limits during parsing. If the limit is exceeded at any point during reading, the connection should be terminated immediately (e.g., by returning an error or closing the stream).”
Related Posts:
???? Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
