Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0.
Published: 2026-03-07
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via stack overflow
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from cpp-httplib’s use of libstdc++’s std::regex to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine implements backtracking through deep recursion, consuming one stack frame per input character. An attacker can craft a filename* parameter that triggers uncontrolled recursion, leading to a stack overflow (SIGSEGV) that crashes the server process. The flaw is classified as Stack-based Buffer Overflow and Uncontrolled Recursion (CWE-1333 and CWE-674), resulting in a denial of service by terminating the application.

Affected Systems

All installations of the cpp-httplib single‑file header library version 0.36.0 and earlier, authored by yhirose, are affected. The library is commonly embedded in C++ projects that handle HTTP or HTTPS requests, and any process that employs multipart parsing with this library version is susceptible.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS probability is less than 1%, suggesting a low likelihood of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need network access to the application’s HTTP interface to send a POST request with a malicious filename* value. Once the crafted request hits the vulnerable regex parser, the application crashes, causing a denial of service.

Generated by OpenCVE AI on April 16, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cpp-httplib to version 0.37.0 or later, which removes the vulnerable regex-based parsing logic.
  • If the application must continue using an older cpp-httplib release, refactor or wrap the multipart handling code to reject or sanitize filename* values before they reach the regex engine, limiting input length and preventing deep recursion.
  • Implement runtime monitoring to detect SIGSEGV crashes and configure process resource limits (e.g., ulimit settings) to prevent a full stack overflow from exhausting system resources while remediation is applied.

Generated by OpenCVE AI on April 16, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Yhirose
Yhirose cpp-httplib
Vendors & Products Yhirose
Yhirose cpp-httplib

Sat, 07 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0.
Title cpp-httplib: Stack Overflow Denial of Service (DoS) via std::regex in multipart filename parsing
Weaknesses CWE-1333
CWE-674
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Yhirose Cpp-httplib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:25:58.815Z

Reserved: 2026-03-03T20:51:43.483Z

Link: CVE-2026-29076

cve-icon Vulnrichment

Updated: 2026-03-09T17:52:26.136Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T16:15:54.193

Modified: 2026-03-09T21:19:35.750

Link: CVE-2026-29076

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-07T16:08:56Z

Links: CVE-2026-29076 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses