Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.
Published: 2026-01-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (DoS)
Action: Apply Patch
AI Analysis

Impact

cpp-httplib is a header‑only C++11 HTTP/HTTPS library. The defect lies in its handling of compressed HTTP request bodies. While the library checks that the compressed payload does not exceed a preset maximum length, it does not impose any limit on the size of the data after decompression. An attacker can therefore send a gzip or br encoded body that expands dramatically when decompressed, causing excessive memory allocation and ultimately exhausting the application’s resources.

Affected Systems

The vulnerability affects all deployments of yhirose:cpp‑httplib built with a version earlier than 0.30.1, regardless of operating system, because the library is header‑only and used wherever the header is included in an application.

Risk and Exploitability

The vulnerability is rated with a CVSS score of 8.7, indicating a high severity risk. The EPSS score is reported as less than 1%, suggesting a low probability of exploitation at the current time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector is remote: an adversary can target a server or service that includes the vulnerable library by sending a specially crafted HTTP request with a compressed body that expands to consume large amounts of memory, leading to a denial of service by exhausting system resources and affecting application availability.

Generated by OpenCVE AI on April 18, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cpp-httplib to version 0.30.1 or later, which limits decompressed request sizes
  • Add application‑level validation to reject or truncate compressed request bodies that exceed a safe decompressed size threshold
  • Configure your web server or API gateway to enforce maximum HTTP request size and reject oversized compressed payloads before they reach the application

Generated by OpenCVE AI on April 18, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 15 Jan 2026 22:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Yhirose
Yhirose cpp-httplib
Vendors & Products Yhirose
Yhirose cpp-httplib

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.1, a Denial of Service (DoS) vulnerability exists in cpp-httplib due to the unsafe handling of compressed HTTP request bodies (Content-Encoding: gzip, br, etc.). The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory.
Title cpp-httplib vulnerable to a denial of service (DOS) using a zip bomb
Weaknesses CWE-409
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Yhirose Cpp-httplib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T18:49:59.317Z

Reserved: 2026-01-09T18:27:19.388Z

Link: CVE-2026-22776

cve-icon Vulnrichment

Updated: 2026-01-12T18:49:53.180Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T19:16:03.630

Modified: 2026-01-15T22:43:10.097

Link: CVE-2026-22776

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-12T18:18:01Z

Links: CVE-2026-22776 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses