Source: cpp-httplib
Version: 0.41.0+ds-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for cpp-httplib.
CVE-2026-45352[0]:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked
| Transfer-Encoding causes unbounded memory allocation and process
| crash. The ChunkedDecoder::read_payload function in cpp-httplib
| (httplib.h) parses the chunk-size field of HTTP chunked transfer
| encoding using std::strtoul(). Per the C standard (§7.22.1.4),
| strtoul silently accepts a leading minus sign, performing unsigned
| wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1
| (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects
| ULONG_MAX (the result of "-1"), but any other negative value such as
| "-2" passes validation. The resulting near-maximum value is stored
| in chunk_remaining and controls how many bytes the server's read
| loop consumes from the network. This vulnerability is fixed in
| 0.43.4.
CVE-2026-45372[1]:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server
| parses an incoming request, it applies percent-decoding to every
| header value except Location and Referer. The validity check
| (is_field_value) is run before decoding, so encoded %0D%0A passes
| the check and is then expanded to a literal \r\n byte pair inside
| the stored header value. This vulnerability is fixed in 0.44.0.
CVE-2026-46527[2]:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. Prior to 0.44.0, When the server has called
| Server::set_trusted_proxies() with a non-empty trusted-proxy list,
| an attacker can send an HTTP request that includes an X-Forwarded-
| For header whose value parses to no valid IP segments. The code path
| then executes get_client_ip(), which calls front() on an empty
| std::vector—undefined behavior in C++. On typical implementations
| this manifests as abnormal process termination (denial of service).
| With Sanitizers enabled, you get an explicit runtime diagnostic.
| This vulnerability is fixed in 0.44.0.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-45352
https://www.cve.org/CVERecord?id=CVE-2026-45352
[1] https://security-tracker.debian.org/tracker/CVE-2026-45372
https://www.cve.org/CVERecord?id=CVE-2026-45372
[2] https://security-tracker.debian.org/tracker/CVE-2026-46527
https://www.cve.org/CVERecord?id=CVE-2026-46527
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
