CVE-2026-45352: cpp-httplib Negative Chunk Size Denial of Service
cpp-httplib, a popular C++ HTTP library, contains a flaw in how it processes chunked HTTP transfers. When a malicious client sends a specially crafted HTTP request with a negative chunk size (like '-2'), the library's parsing logic mishandles it. Instead of rejecting the invalid value, it converts it to an extremely large number due to how C's strtoul function treats negative numbers. This causes the server to attempt allocating massive amounts of memory and reading far more data than expected, ultimately crashing the process. Applications using cpp-httplib versions before 0.43.4 are vulnerable.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-1285, CWE-20, CWE-770
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the ChunkedDecoder::read_payload function within httplib.h. The code uses std::strtoul() to parse the chunk-size field from HTTP chunked transfer encoding without proper validation of negative values. Per C standard §7.22.1.4, strtoul silently interprets a leading minus sign and performs unsigned integer wrap-around. For example, strtoul("-2", ..., 16) returns 0xFFFFFFFFFFFFFFFE (ULONG_MAX − 1). While the library attempts to guard against the result ULONG_MAX (produced by "-1"), it fails to reject other negative values. The resulting near-maximum value is stored in chunk_remaining, which controls how many bytes the read loop attempts to consume from the network socket. This causes unbounded memory allocation and eventual process termination.
Business impact
Availability is the primary concern. An attacker can remotely trigger a denial of service by sending a malicious HTTP request, crashing any application or service built on cpp-httplib. This affects web services, APIs, embedded HTTP servers, and microservices relying on this library. The impact depends on deployment: a crash in a single-threaded handler affects one connection, but in thread-pool or async deployments, repeated attacks could exhaust server resources or trigger cascading failures. No data breach or integrity issue results, but service disruption can be significant.
Affected systems
cpp-httplib versions prior to 0.43.4 are affected. The library is used in a wide range of applications: embedded web servers, REST API servers, microservices, IoT devices with HTTP interfaces, and cross-platform applications. Any service or application linking against vulnerable versions of the library is at risk. Users should verify their cpp-httplib version and check whether their deployment model (single-threaded, multi-threaded, or async) increases exposure to repeated attack attempts.
Exploitability
Exploitability is straightforward. An attacker needs only network access to the affected HTTP server and the ability to send a crafted HTTP request with a negative chunk size in the Transfer-Encoding: chunked header. No authentication, user interaction, or special conditions are required. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects this: network-accessible, low complexity, no privileges or user interaction needed. However, actual impact depends on how the application handles crashes—whether it auto-restarts, whether the attacker must repeat the attack, and whether other mitigations (e.g., request size limits, timeouts) are in place.
Remediation
Update cpp-httplib to version 0.43.4 or later. This version includes a fix that properly validates chunk-size values and rejects negative or otherwise invalid inputs before they can trigger memory allocation issues. Patches should be applied across all systems and deployments using the library, including embedded instances and vendored copies. No workarounds are documented; patching is the primary mitigation.
Patch guidance
Upgrade cpp-httplib to 0.43.4 or newer. If you use cpp-httplib as a vendored header file in your project, replace the existing httplib.h with the fixed version. If you use it as a package dependency (via package manager or build system), update your dependency declaration and rebuild. Verify the fix by confirming the ChunkedDecoder::read_payload function now properly rejects negative chunk-size values. Test updated services in a staging environment before deploying to production. Review your deployment model to ensure auto-restart mechanisms are active, reducing the window for repeated denial-of-service attacks.
Detection guidance
Monitor for HTTP requests with unusual or malformed chunk-size headers, particularly those containing negative values or leading minus signs in the Transfer-Encoding: chunked field. Check application and system logs for unexpected crashes or out-of-memory errors correlated with HTTP traffic spikes. Network-based detection can inspect raw HTTP headers for invalid chunk-size syntax before traffic reaches the application. Host-based signals include sudden process termination, memory allocation failures, and core dumps. Correlate crashes across multiple instances to identify coordinated attack patterns. If cpp-httplib is used, consider enabling heap profiling or memory sanitizers during testing to catch unbounded allocation issues early.
Why prioritize this
Although the CVSS score is medium (5.3), this vulnerability merits prompt attention because: (1) it is remotely exploitable with no preconditions, (2) the fix is stable and available (0.43.4), (3) denial-of-service impact can disrupt business operations, and (4) exploitation requires minimal attacker sophistication. Organizations running cpp-httplib-based services should prioritize patching to restore service stability and prevent potential abuse. The lack of complexity and broad accessibility of the HTTP protocol make this a practical risk in internet-facing or internal-network deployments.
Risk score, explained
The CVSS 3.1 score of 5.3 (Medium) reflects: (1) network accessibility with low attack complexity and no privilege or user interaction requirements, yielding a high exploitability base; (2) availability impact (process crash) as the sole consequence, with no confidentiality or integrity loss; (3) no scope elevation—the impact is confined to the affected service. The score is not higher because the attack does not compromise data, escalate privileges, or affect other systems directly. However, the practical risk may be perceived as higher in critical infrastructure or high-availability environments where service disruption is costly.
Frequently asked questions
What versions of cpp-httplib are vulnerable?
All versions prior to 0.43.4 are vulnerable. Version 0.43.4 and later contain the fix. You should verify your exact version number in your project's dependency or vendor files.
How do I check what version of cpp-httplib I'm using?
If cpp-httplib is a header-only library in your project, search for the version number in httplib.h (usually in a comment or macro near the top). If it is a package dependency, check your package manager (vcpkg, Conan, etc.) or build configuration file. Alternatively, contact your software vendor if they provide cpp-httplib as part of their product.
Can this vulnerability steal data or compromise credentials?
No. This vulnerability only causes a denial of service (process crash) due to memory exhaustion. It does not allow an attacker to read memory, steal data, or escalate privileges. The impact is limited to service availability.
What should I do if I cannot immediately patch?
Implement network-level protections: use a Web Application Firewall (WAF) to inspect and reject malformed chunked transfer encoding requests, rate-limit incoming connections, and monitor logs for crashes. Add request timeout and size limits if possible. These are temporary mitigations only; patching is the proper fix.
This analysis is provided for informational purposes and does not constitute professional security advice. Verify all information against official vendor advisories and your specific deployment context. Testing patches should occur in non-production environments first. SEC.co makes no guarantee regarding the completeness or accuracy of this analysis, and users are responsible for assessing their own risk and compliance obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0070MEDIUMAndroid DevicePolicyManagerService Local Denial of Service Vulnerability
- CVE-2026-0085MEDIUMAndroid Contact Handler Denial of Service Vulnerability
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-10566MEDIUMMetaGPT Local Deserialization Vulnerability Exploit Available
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)