Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in 0.37.1.
Published: 2026-03-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Client Process Crash (Denial of Service)
Action: Immediate Patch
AI Analysis

Impact

A malformed Content-Length header in an HTTP response triggers an unhandled exception in the C++ library cpp‑httplib when the client processes a streaming API response. The library invokes std::stoull without validating the header value, causing std::invalid_argument or std::out_of_range to be thrown for non‑numeric or overly large values. Because these exceptions are uncaught, the C++ runtime calls std::terminate(), terminating the client process with SIGABRT. This results in a deterministic, immediate crash, leading to a denial of service for the affected application.

Affected Systems

The vulnerability affects projects using the yhirose:cpp‑httplib library prior to release 0.37.1. Any system that incorporates this library for HTTP or HTTPS client functionalities is susceptible.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. The EPSS score is less than 1%, suggesting low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by simply sending an HTTP response with an invalid or overly large Content‑Length header; no authentication or user interaction is required.

Generated by OpenCVE AI on March 18, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to cpp-httplib version 0.37.1 or later
  • Verify library version after upgrade

Generated by OpenCVE AI on March 18, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yhirose:cpp-httplib:*:*:*:*:*:*:*:*

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Yhirose
Yhirose cpp-httplib
Vendors & Products Yhirose
Yhirose cpp-httplib

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in 0.37.1.
Title cpp-httplib Affected by Remote Process Crash via Malformed Content-Length Response Header
Weaknesses CWE-248
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Yhirose Cpp-httplib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:10:21.550Z

Reserved: 2026-03-09T19:02:25.014Z

Link: CVE-2026-31870

cve-icon Vulnrichment

Updated: 2026-03-12T20:10:18.215Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:26.487

Modified: 2026-03-18T15:36:20.990

Link: CVE-2026-31870

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-11T17:57:49Z

Links: CVE-2026-31870 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:30:03Z

Weaknesses