CVE-2026-31870 in cpp-httplib
Summary
by MITRE • 03/11/2026
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in 0.37.1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/22/2026
The vulnerability identified as CVE-2026-31870 affects the cpp-httplib C++ library, a widely used single-file header-only HTTP/HTTPS implementation that supports cross-platform development. This library serves as a fundamental component in numerous applications requiring network communication, making the flaw particularly concerning from a security perspective. The issue manifests specifically within the streaming API functions including httplib::stream::Get and httplib::stream::Post, which are designed for handling large data transfers and continuous data streams. These functions process HTTP responses from servers and parse the Content-Length header to determine the expected data size for proper handling.
The technical flaw resides in the library's handling of the Content-Length HTTP header value during streaming operations. When processing responses, cpp-httplib directly invokes std::stoull() on the header value without any input validation or exception handling mechanisms. This approach creates a critical security gap where malformed input can immediately terminate the application. The std::stoull() function is designed to throw std::invalid_argument exceptions for non-numeric input strings and std::out_of_range exceptions for values exceeding the maximum unsigned long long integer limit. However, the library fails to implement proper exception handling around these calls, leaving the application vulnerable to abrupt termination.
The operational impact of this vulnerability is severe and deterministic in nature. Any external server that the client application connects to can exploit this weakness through a single malicious HTTP response, causing immediate application crash. This includes servers encountered through HTTP redirects, third-party APIs, or even compromised man-in-the-middle positions that could inject malicious responses. The vulnerability requires no authentication or user interaction to exploit, making it particularly dangerous as it can be triggered automatically during normal network operations. The crash occurs through the standard C++ runtime termination mechanism, specifically SIGABRT signal generation, which terminates the process immediately without any graceful shutdown procedures.
This vulnerability maps directly to CWE-248, which addresses "Uncaught Exception" in software systems, and represents a classic example of improper exception handling in network processing components. The flaw also aligns with ATT&CK technique T1499.004, "Endpoint Denial of Service," as it enables an attacker to cause denial of service through carefully crafted HTTP responses that trigger application termination. The vulnerability's exploitability is further enhanced by its position within the network stack where applications typically have no control over incoming HTTP responses from external sources, making it difficult for developers to implement defensive measures at the application level. The fix implemented in version 0.37.1 addresses this by adding proper exception handling around the std::stoull() calls, ensuring that malformed Content-Length headers do not cause application termination but instead result in graceful error handling or default behavior.
The broader implications extend beyond immediate application crashes to potential cascading effects in systems that rely on cpp-httplib for critical network operations. Applications using this library for continuous data processing, web scraping, or API integration could experience unexpected downtime or service disruption. The deterministic nature of the crash means that attackers can reliably reproduce this vulnerability, making it an attractive target for malicious actors seeking to disrupt services. Additionally, the vulnerability's presence in a widely-used library means that the attack surface is extensive, potentially affecting numerous applications across different domains and security contexts. Security teams should prioritize updating affected systems to version 0.37.1 or later to prevent exploitation, while also considering the potential for similar vulnerabilities in other HTTP libraries that might employ similar patterns without proper exception handling.