CVE-2025-46728 in cpp-httplib
Summary
by MITRE • 05/06/2025
cpp-httplib is a C++ header-only HTTP/HTTPS server and client library. Prior to version 0.20.1, the library fails to enforce configured size limits on incoming request bodies when `Transfer-Encoding: chunked` is used or when no `Content-Length` header is provided. A remote attacker can send a chunked request without the terminating zero-length chunk, causing uncontrolled memory allocation on the server. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.20.1 fixes the issue by enforcing limits during parsing. If the limit is exceeded at any point during reading, the connection is terminated immediately. A short-term workaround through a Reverse Proxy is available. If updating the library immediately is not feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the `cpp-httplib` application. Configure the proxy to enforce maximum request body size limits, thereby stopping excessively large requests before they reach the vulnerable library code.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/24/2025
The cpp-httplib library represents a widely-used C++ header-only solution for implementing HTTP/HTTPS server and client functionality in applications. This vulnerability affects versions prior to 0.20.1 where the library demonstrates a critical flaw in request body size validation during HTTP parsing operations. The issue specifically manifests when processing chunked transfer encoding requests or requests lacking explicit content length headers, creating an avenue for memory exhaustion attacks against systems utilizing this library.
The technical flaw stems from inadequate validation of incoming HTTP request bodies when Transfer-Encoding: chunked is employed or when Content-Length headers are absent. In normal HTTP operations, chunked transfer encoding allows data to be sent in a series of chunks without requiring the total size to be known beforehand. However, the vulnerable implementation fails to enforce configured size limits during this chunked processing phase, allowing attackers to submit requests that progressively consume memory without proper boundaries. The absence of a terminating zero-length chunk in chunked requests creates an opportunity for continuous memory allocation until system resources are exhausted.
This vulnerability directly impacts system stability and availability by enabling denial of service conditions through memory exhaustion attacks. When attackers exploit this flaw, they can cause servers to consume excessive memory resources, ultimately leading to system crashes or complete unresponsiveness. The operational impact extends beyond simple service disruption as the vulnerability affects any application that relies on cpp-httplib for HTTP processing, potentially compromising entire service availability. The memory allocation continues until the system runs out of available memory, making this particularly dangerous in resource-constrained environments or when multiple concurrent attacks occur.
The fix implemented in version 0.20.1 addresses the core issue by enforcing strict size limits during the parsing process and terminating connections immediately when limits are exceeded. This approach follows security best practices by implementing defense-in-depth measures that prevent resource exhaustion attacks. The immediate connection termination prevents attackers from maintaining persistent resource consumption and provides a clear boundary for acceptable request sizes. Organizations should prioritize updating to version 0.20.1 or later to eliminate this vulnerability entirely. However, when immediate updates are not feasible, deploying a reverse proxy solution such as Nginx or HAProxy provides an effective mitigation strategy that enforces request size limits before requests reach the vulnerable library code.
This vulnerability aligns with CWE-400, which addresses unchecked resource consumption, and represents a classic example of a denial of service attack vector through resource exhaustion. The ATT&CK framework categorizes this under T1499.004, specifically targeting resource exhaustion through excessive memory allocation. The security implications extend to applications in web servers, API gateways, and any system that processes HTTP requests, making this vulnerability particularly concerning for internet-facing services. Organizations should implement proper monitoring and alerting for unusual memory consumption patterns, as these may indicate exploitation attempts. The vulnerability demonstrates the importance of input validation and resource boundary enforcement in network libraries, particularly those handling user-supplied HTTP data streams.