Yhirose: >> Cpp-Httplib >> 0.36.0 Security Vulnerabilities
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.2, when a cpp-httplib client is configured with a proxy and set_follow_location(true), any HTTPS redirect it follows will have TLS certificate and hostname verification silently disabled on the new connection. The client will accept any certificate presented by the redirect target — expired, self-signed, or forged — without raising an error or notifying the application. A network attacker in a position to return a redirect response can fully intercept the follow-up HTTPS connection, including any credentials or session tokens in flight. This vulnerability is fixed in 0.37.2.
CVSS Score
8.7
EPSS Score
0.0
Published
2026-03-16
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API (httplib::stream::Get, httplib::stream::Post, etc.), the library calls std::stoull() directly on the Content-Length header value received from the server with no input validation and no exception handling. std::stoull throws std::invalid_argument for non-numeric strings and std::out_of_range for values exceeding ULLONG_MAX. Since nothing catches these exceptions, the C++ runtime calls std::terminate(), which kills the process with SIGABRT. Any server the client connects to — including servers reached via HTTP redirects, third-party APIs, or man-in-the-middle positions can crash the client application with a single HTTP response. No authentication is required. No interaction from the end user is required. The crash is deterministic and immediate. This vulnerability is fixed in 0.37.1.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-03-11
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.37.0, cpp-httplib uses std::regex (libstdc++) to parse RFC 5987 encoded filename* values in multipart Content-Disposition headers. The regex engine in libstdc++ implements backtracking via deep recursion, consuming one stack frame per input character. An attacker can send a single HTTP POST request with a crafted filename* parameter that causes uncontrolled stack growth, resulting in a stack overflow (SIGSEGV) that crashes the server process. This issue has been patched in version 0.37.0.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-03-07