VIR Vulnerability Intelligence Relay

CVE-2026-45352

medium
Published 2026-05-29 ยท Modified 2026-06-02
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
5.3

Description

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (ยง7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", โ€ฆ, 16) returns ULONG_MAX โˆ’ 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.

Predictions

Exploit likelihood
63%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker ยท View original โ†— ยท DFSG

CVE-2026-45352 NameCVE-2026-45352 Descriptioncpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul().โ€ฆ

CVE-2026-45352

NameCVE-2026-45352
Descriptioncpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (ยง7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", โ€ฆ, 16) returns ULONG_MAX โˆ’ 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cpp-httplib (PTS)bookworm0.11.4+ds-1+deb12u1vulnerable
trixie (security), trixie0.18.7-1+deb13u1vulnerable
forky, sid0.41.0+ds-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cpp-httplibsource(unstable)(unfixed)

Notes

https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h6wq-j5mv-f3q8

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-h6wq-j5mv-f3q8

OS impact
debian Debian Affected 4 releases
VersionStatusFixed in
trixie Affected โ€”
sid Affected โ€”
forky Affected โ€”
bookworm Affected โ€”
suse SUSE Affected 1 release
VersionStatusFixed in
โ€” Affected โ€”

Application impact
VendorProductVersionsFixed
yhirosecpp-httplib{"endExcluding":"0.43.4"}0.43.4

References

CWEs

CWE-20 CWE-1285 CWE-770

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.