Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.
Published: 2026-05-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A negative chunk-size in HTTP chunked Transfer‑Encoding can trigger an unbounded memory allocation and process crash in cpp‑httplib versions before 0.43.4. The library parses the chunk‑size using std::strtoul(), which accepts a leading minus sign and performs unsigned wrap‑around; only the literal '-1' is validated against ULONG_MAX, so values such as '-2' are allowed. The resulting near‑maximum value is used as the amount of data the server attempts to read, leading to excessive memory allocation and eventual crash. The vulnerability therefore provides a denial‑of‑service path by consuming server resources and killing the process.

Affected Systems

The issue affects the cpp‑httplib library released by yhirose. Any deployment using cpp‑httplib 0.43.3 or earlier is vulnerable. The library is a single‑file C++11 HTTP/HTTPS header‑only component used in a variety of projects.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. No EPSS value is available and the flaw is not currently listed in the CISA KEV catalog, but the exploit can be performed remotely by sending a crafted HTTP request with a negative chunk‑size header. An attacker only needs network access to the endpoint that uses the library to trigger the crash, resulting in service disruption. Given these factors, the risk remains significant for exposed services that cannot protect against malformed requests.

Generated by OpenCVE AI on May 29, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update cpp‑httplib to version 0.43.4 or newer
  • If an immediate update is not possible, modify the ChunkedDecoder::read_payload function to reject any chunk‑size string that starts with a minus sign or contains a negative value before calling strtoul
  • Configure outbound or inbound traffic filtering (e.g., a reverse proxy) to block or reject HTTP requests that use chunked transfer encoding with malformed sizes

Generated by OpenCVE AI on May 29, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Yhirose
Yhirose cpp-httplib
Vendors & Products Yhirose
Yhirose cpp-httplib

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.
Title cpp-httplib DoS: Negative chunk-size in chunked Transfer-Encoding
Weaknesses CWE-1285
CWE-20
CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Yhirose Cpp-httplib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:15:42.208Z

Reserved: 2026-05-11T21:40:08.178Z

Link: CVE-2026-45352

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T20:16:26.140

Modified: 2026-05-29T20:23:08.683

Link: CVE-2026-45352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:30:07Z

Weaknesses