Hi all,
On Tue Jul 15, 2025 at 2:37 PM CEST, Moritz Mühlenhoff wrote:
CVE-2025-53628:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. Prior to 0.20.1, cpp-httplib does not have a
| limit for a unique line, permitting an attacker to explore this to
| allocate memory arbitrarily. This vulnerability is fixed in 0.20.1.
| NOTE: This vulnerability is related to CVE-2025-53629.
https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-j6p8-779x-p5pw
https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e
(v0.20.1)
After taking a closer look to these CVEs, I found out that
CVE-2025-53628's description is completely wrong. In fact, it describes
CVE-2025-46728 (I believe they got mixed up since they both end with 28).
This theory of mine is also reinforced by the fact that the GitHub
advisory of CVE-2025-53629 mentions CVE-2025-46728, and not 53628.
Opening the GitHub advisory you can find the correct description, which
is about HTTP header smuggling (and not memory exhaustion).
Apart from being annoying, this also makes it harder for me to figure
out which commit actually fixed the vulnerability of GHSA-j6p8-779x-p5pw
(i.e., the real CVE-2025-53628), as upstream's commit messages are...
let's say... unhelpful.
What should I do? How can the CVE text be rectified? (CVE-2025-53629
should be modified as well, to mention CVE-2025-46728).
Bye :)
