- Package:
- cpp-httplib
- Source:
- cpp-httplib
- Submitter:
- Moritz Mühlenhoff
- Date:
- 2026-04-17 09:01:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerabilities were published for cpp-httplib. CVE-2025-52887[0]: | cpp-httplib is a C++11 single-file header-only cross platform | HTTP/HTTPS library. In version 0.21.0, when many http headers fields | are passed in, the library does not limit the number of headers, and | the memory associated with the headers will not be released when the | connection is disconnected. This leads to potential exhaustion of | system memory and results in a server crash or unresponsiveness. | Version 0.22.0 contains a patch for the issue. https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9 (v0.22.0) This might be specific to 0.21, but needs confirmation. CVE-2025-53628[1]: | cpp-httplib is a C++11 single-file header-only cross platform | HTTP/HTTPS library. Prior to 0.20.1, cpp-httplib does not have a | limit for a unique line, permitting an attacker to explore this to | allocate memory arbitrarily. This vulnerability is fixed in 0.20.1. | NOTE: This vulnerability is related to CVE-2025-53629. https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-j6p8-779x-p5pw https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e (v0.20.1) CVE-2025-53629[2]: | cpp-httplib is a C++11 single-file header-only cross platform | HTTP/HTTPS library. Prior to 0.23.0, incoming requests using | Transfer-Encoding: chunked in the header can allocate memory | arbitrarily in the server, potentially leading to its exhaustion. | This vulnerability is fixed in 0.23.0. NOTE: This vulnerability is | related to CVE-2025-53628. https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qjmq-h3cc-qv6w https://github.com/yhirose/cpp-httplib/commit/17ba303889b8d4d719be3879a70639ab653efb99 (v0.23.0) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-52887 https://www.cve.org/CVERecord?id=CVE-2025-52887 [1] https://security-tracker.debian.org/tracker/CVE-2025-53628 https://www.cve.org/CVERecord?id=CVE-2025-53628 [2] https://security-tracker.debian.org/tracker/CVE-2025-53629 https://www.cve.org/CVERecord?id=CVE-2025-53629 Please adjust the affected versions in the BTS as needed.
This is not specific to 0.21. Adding the test to 0.18.7, it fails:
[ RUN ] ServerTest.HeaderCountExceedsLimit
../test/test.cc:3709: Failure
Expected equality of these values:
StatusCode::BadRequest_400
Which is: 400
res->status
Which is: 200
[ FAILED ] ServerTest.HeaderCountExceedsLimit (148 ms)
[ ... ]
[ RUN ] ServerTest.HeaderCountSecurityTest
../test/test.cc:3772: Failure
Expected equality of these values:
StatusCode::BadRequest_400
Which is: 400
res->status
Which is: 404
[ FAILED ] ServerTest.HeaderCountSecurityTest (147 ms)
Hi Moritz, Thank you for the report. I'm in Debconf right now, and tomorrow I'll focus on fixing this. If you happen to be here, I'd be happy to meet you! Since upstream makes breaking changes quite often, I'm not sure I'll be able to easily backport the fixes. I'll focus on fixing CVE-2025-53629 first, since the other too seem "just" memory leaks. Bye!
Hi all, After taking a closer look to these CVEs, I found out that CVE-2025-53628's description is completely wrong. In fact, it describes CVE-2025-46728 (I believe they got mixed up since they both end with 28). This theory of mine is also reinforced by the fact that the GitHub advisory of CVE-2025-53629 mentions CVE-2025-46728, and not 53628. Opening the GitHub advisory you can find the correct description, which is about HTTP header smuggling (and not memory exhaustion). Apart from being annoying, this also makes it harder for me to figure out which commit actually fixed the vulnerability of GHSA-j6p8-779x-p5pw (i.e., the real CVE-2025-53628), as upstream's commit messages are... let's say... unhelpful. What should I do? How can the CVE text be rectified? (CVE-2025-53629 should be modified as well, to mention CVE-2025-46728). Bye :)
Did some more digging, and turns out that even the commit mentioned in CVE-2025-53629 is wrong, which in fact fixes 53628. - The commit fixing CVE-2025-53628 is 17ba303889b8d4d719be3879a70639ab653efb99 - The commit fixing CVE-2025-53629 is 082acacd4581d10e05fccbe9cb336aa7822c4ea2 I'm also sending this to team@security.d.o as this to me seems relevant information to fix the CVEs, not the package itself. Bye!
Hi, You seem to be right, while the GHSA references were correctly mapped I think we had wrong commits. I have updated the tracker as https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29c3c8b9f97361016802d46761ead5d3410ce797 Regards, Salvatore
Hi! I have prepared an upload fixing three CVEs for the cpp-httplib package, originally targeting unstable/testing/trixie. I was asked by the release team to coordinate with you instead, and to perform a security update. You can find a full diff about the version in trixie and the update at <https://salsa.debian.org/debian/cpp-httplib/-/compare/archive%2Fdebian%2F0.18.7-1...debian%2Ftrixie?from_project_id=65963>. I've also attached a debdiff here. For some more context on the impact of the changes, please see the Cc'd bug and the unblock bug #1110393. Let me know how to proceed! Bye :)
Hi Andrea, understand they did not want anymore to unblock. My suggestion would be: make first a unstable upload with the targeted fix (maybe after saturday, given trixie release is just around the corner and we should not cause mor work to the release team). Once that is in, we can decide if cpp-httplib requires a DSA or a point release is enough. Samewise then for bookworm. Regards, Salvatore
Hi Salvatore, Is it ok if the upload fixing the CVEs isn't a backport but an update to the latest upstream release? I've already done so in experimental. Thanks! Bye
Hi Andrea, yes of course. My proposal was more targetting if we want to have a ~deb13u1 rebuld for trixie either via security or the first point release. So uploading now the new upstream version is fine in any case. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
cpp-httplib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1109340@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea Pappacoda <tachi@debian.org> (supplier of updated cpp-httplib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 16 Aug 2025 20:27:58 +0200
Binary: libcpp-httplib0.25 libcpp-httplib0.25-dbgsym libcpp-httplib-dev
Source: cpp-httplib
Architecture: amd64 source
Version: 0.25.0+ds-1
Distribution: experimental
Urgency: medium
Maintainer: Andrea Pappacoda <tachi@debian.org>
Changed-By: Andrea Pappacoda <tachi@debian.org>
Closes: 1109340
Description:
libcpp-httplib0.25 - C++ HTTP/HTTPS server and client library
libcpp-httplib-dev - C++ HTTP/HTTPS server and client library - development files
Changes:
cpp-httplib (0.25.0+ds-1) experimental; urgency=medium
.
* Update to new upstream version 0.25.0+ds.
.
* Fix numerous CVEs (Closes: #1109340):
- CVE-2025-52887 (Unlimited number of HTTP headers causes memory leak).
Version 0.22.0 adds a limit to the number of headers which can be passed
in an HTTP request, mitigating a possible DoS due to memory exhaustion.
.
- CVE-2025-53628 (HTTP Header Smuggling due to insecure trailers merge).
Version 0.23.0 changes the way HTTP trailer fields are handled so to
avoid an attacker to modify headers with prohibited trailers.
.
- CVE-2025-53629 (Unbounded Memory Allocation in Chunked Requests).
Version 0.23.0 complements the fix for CVE-2025-46728, actually solving
memory exhaustion attacks via chucked HTTP requests.
.
* d/control: libcpp-httplib0.20 -> libcpp-httplib0.25
* d/changelog: mention CVE-2025-46728 in 0.20.1+ds-1 changelog entry.
* d/rules: remove redundant file copy
Checksums-Sha1:
6905159ff473439ec66271f635e87e4bc86d3c8c 1824 cpp-httplib_0.25.0+ds-1.dsc
1aef4bc01d005cf9550923850051e4eb597d2588 737100 cpp-httplib_0.25.0+ds.orig.tar.xz
19eebbbae9457fd85f3072a88a19477d679867d4 5872 cpp-httplib_0.25.0+ds-1.debian.tar.xz
8e4045d131a9f0818ea67922b07014fd8a80d74a 8076 cpp-httplib_0.25.0+ds-1_amd64.buildinfo
67455f2873e9d13bf6832f69ace3e0384de39626 21320 libcpp-httplib-dev_0.25.0+ds-1_amd64.deb
f50db04cd7666fbf40e3f34dc50bcd45d0e7fd08 2565820 libcpp-httplib0.25-dbgsym_0.25.0+ds-1_amd64.deb
72e12e0cc867615ca0d4b3af036b59b617ad2879 225548 libcpp-httplib0.25_0.25.0+ds-1_amd64.deb
Checksums-Sha256:
6c1a147bd6a6041ee3b992d95f75ac74e4ad7459ea350e19e8bc7acd57d6a9e0 1824 cpp-httplib_0.25.0+ds-1.dsc
cd92a04dac06907c3ba983a8bac29ebc252b790b4c33aafb1b33ffb0a56470ec 737100 cpp-httplib_0.25.0+ds.orig.tar.xz
cc3b930c6a4d58e7dcdae2f99eec2fb6e00b5d2e07b818b71a303c5d329b5e46 5872 cpp-httplib_0.25.0+ds-1.debian.tar.xz
868276b25d53424a787d309d6c00bef9ac14c26953ca6f764f24f2ae63e41cdc 8076 cpp-httplib_0.25.0+ds-1_amd64.buildinfo
8af454334a50f3a663477552339504e3e1c8ba25aa5a405659d84ce041febdd6 21320 libcpp-httplib-dev_0.25.0+ds-1_amd64.deb
ab424be050427c771b0bc1cbdfd8cdbad85c1764b16d209bd134e307811b34cf 2565820 libcpp-httplib0.25-dbgsym_0.25.0+ds-1_amd64.deb
85c1589b717f4fa0b4b9d5207806b6c6cee1dc24192016f8a0ab0945a51e235d 225548 libcpp-httplib0.25_0.25.0+ds-1_amd64.deb
Files:
e670cb89d2a0c7d19f9038cca2d5b934 1824 libs optional cpp-httplib_0.25.0+ds-1.dsc
8fd07b577fc95d9bbc50fbadaa1def14 737100 libs optional cpp-httplib_0.25.0+ds.orig.tar.xz
8ef9848aefb54e5ac30b63416234de29 5872 libs optional cpp-httplib_0.25.0+ds-1.debian.tar.xz
4cc8db4bcbf8f0101826e9a1f1f12ddc 8076 libs optional cpp-httplib_0.25.0+ds-1_amd64.buildinfo
6f9c104d60e605f997dec48c8606a6a9 21320 libdevel optional libcpp-httplib-dev_0.25.0+ds-1_amd64.deb
be7f6bba01c7a9b3ba0b3f5f1e54d6b2 2565820 debug optional libcpp-httplib0.25-dbgsym_0.25.0+ds-1_amd64.deb
ce878dcc9634ceffcac8fcde13141e3e 225548 libs optional libcpp-httplib0.25_0.25.0+ds-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iIcEARYKAC8WIQS6VuNIvZRFHt7JcAdKkgiiRVB3pwUCaKDPbhEcdGFjaGlAZGVi
aWFuLm9yZwAKCRBKkgiiRVB3p5mAAP94cVZH9jtJfIHpXzXCuu4YDn1OeqK5rPiD
8jYGGnpMnAD/RV2wiM5IVp/eeDNaK1liwlazgV8U7A2UuCXvOSBJCwA=
=w+VW
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
cpp-httplib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1109340@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea Pappacoda <tachi@debian.org> (supplier of updated cpp-httplib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 17 Apr 2026 09:47:23 +0200
Source: cpp-httplib
Architecture: source
Version: 0.41.0+ds-3
Distribution: unstable
Urgency: medium
Maintainer: Andrea Pappacoda <tachi@debian.org>
Changed-By: Andrea Pappacoda <tachi@debian.org>
Closes: 1104926 1109340 1122027 1124586 1126754 1130232 1130234 1130235 1130505 1130876 1132162 1133187
Changes:
cpp-httplib (0.41.0+ds-3) unstable; urgency=medium
.
* Upload to unstable. See Bug#1126438
* d/rules: disable last failing tests on i386
* d/watch: update to version 5
.
cpp-httplib (0.41.0+ds-2) experimental; urgency=medium
.
* d/rules: increase test timeout
* d/rules: make test skip patterns more specific
* d/rules: skip some more flaky tests
.
cpp-httplib (0.41.0+ds-1) experimental; urgency=medium
.
* Update to new upstream version 0.41.0+ds.
* Fix numerous CVEs in the server component:
- CVE-2025-66570 and CVE-2025-66577. Closes: #1122027
- CVE-2026-21428. Closes: #1124586
- CVE-2026-22776. Closes: #1126754
- CVE-2026-28434. Closes: #1130232
- CVE-2026-28435. Closes: #1130234
- CVE-2026-29076. Closes: #1130235
- CVE-2026-31870. Closes: #1130505
- CVE-2026-34441. Closes: #1133187
* Fix two CVEs in the client component:
- CVE-2026-32627. Closes: #1130876
- CVE-2026-33745. Closes: #1132162
* d/control: libcpp-httplib0.26 -> libcpp-httplib0.41
* d/rules: disable WebSocketIntegrationTest.SocketSettings test
.
cpp-httplib (0.26.0+ds-2) experimental; urgency=low
.
* Re-do upload, with binaries
.
cpp-httplib (0.26.0+ds-1) experimental; urgency=medium
.
* Update to new upstream version 0.26.0+ds.
* build(meson): use C++17 for gtest >= 1.17.0
* d/control: libcpp-httplib0.25 -> libcpp-httplib0.26
* d/rules: use new option names
.
cpp-httplib (0.25.0+ds-1) experimental; urgency=medium
.
* Update to new upstream version 0.25.0+ds.
.
* Fix numerous CVEs (Closes: #1109340):
- CVE-2025-52887 (Unlimited number of HTTP headers causes memory leak).
Version 0.22.0 adds a limit to the number of headers which can be passed
in an HTTP request, mitigating a possible DoS due to memory exhaustion.
.
- CVE-2025-53628 (HTTP Header Smuggling due to insecure trailers merge).
Version 0.23.0 changes the way HTTP trailer fields are handled so to
avoid an attacker to modify headers with prohibited trailers.
.
- CVE-2025-53629 (Unbounded Memory Allocation in Chunked Requests).
Version 0.23.0 complements the fix for CVE-2025-46728, actually solving
memory exhaustion attacks via chucked HTTP requests.
.
* d/control: libcpp-httplib0.20 -> libcpp-httplib0.25
* d/changelog: mention CVE-2025-46728 in 0.20.1+ds-1 changelog entry.
* d/rules: remove redundant file copy
.
cpp-httplib (0.20.1+ds-3) experimental; urgency=low
.
* Third time's the charm
.
cpp-httplib (0.20.1+ds-2) experimental; urgency=low
.
* Re-try git-debpush upload
.
cpp-httplib (0.20.1+ds-1) experimental; urgency=low
.
* Update to new upstream version 0.20.1+ds.
* fix CVE-2025-46728 (DoS via unbounded request line length).
While this version intended to enforce request body size limits for
chunked Transfer-Encoding, it actually adds size limits for a unique
lines read from HTTP requests, solving another kind of DoS.
See the GHSA-px83-72rx-v57c GitHub advisory for more details.
Thanks to Yang Wang for the patch!
Closes: #1104926
* d/control: libcpp-httplib0.18 -> libcpp-httplib0.20
Checksums-Sha1:
c38e91dd8571b315ab9607b0b1cda4cf19955e16 2576 cpp-httplib_0.41.0+ds-3.dsc
30aac48dbfc988af1fe2afaf939c1bcacc57fb69 6236 cpp-httplib_0.41.0+ds-3.debian.tar.xz
48526436d4d75f6893e7f6a278f126a6d8818928 1834568 cpp-httplib_0.41.0+ds-3.git.tar.xz
fe9c2558724e1a128ba65c97af335f8eb428bab7 17366 cpp-httplib_0.41.0+ds-3_source.buildinfo
Checksums-Sha256:
462d7f953c81fcb2c699dd694cea9989cf11c4762e9b4cd30f4b2b6d6a190a49 2576 cpp-httplib_0.41.0+ds-3.dsc
706d1e41f837881506927eeea8db4a80c3c14a0129359981abf6baa94fa6c20b 6236 cpp-httplib_0.41.0+ds-3.debian.tar.xz
d38b473b32b17bdb86f76d155718288c52bf9074f57a680923dbda2fd27cc512 1834568 cpp-httplib_0.41.0+ds-3.git.tar.xz
dbcd01c9b16fa296a24041dc4795dbfc11421b57908789fada6e3d490cb0a1de 17366 cpp-httplib_0.41.0+ds-3_source.buildinfo
Files:
b4de237fda5f46689bf170be712a7b2b 2576 libs optional cpp-httplib_0.41.0+ds-3.dsc
9e3a37ae3b0a58d9367f6807ff1b7555 6236 libs optional cpp-httplib_0.41.0+ds-3.debian.tar.xz
d02efa6ced2ba2db2e197ec5f2b3b162 1834568 libs None cpp-httplib_0.41.0+ds-3.git.tar.xz
c0e9f90fc65bad145050e103bbab85da 17366 libs optional cpp-httplib_0.41.0+ds-3_source.buildinfo
Git-Tag-Info: tag=5872780c22007e8698543cb7d677df37ef314b94 fp=ba56e348bd94451edec970074a9208a2455077a7
Git-Tag-Tagger: Andrea Pappacoda <tachi@debian.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmnh5+8ACgkQYG0ITkaD
wHkN8BAAkoAdK4XpbtsoqJVFX8RH9PeS1JUcwZr/wKBUKorfbjWeUXMsFx+1nXDX
fjpEVlIfYyGesd6AbJCgeVDo9o2G/PkBSBejW8z01szOyNeAZ8r2x2/eM4a+afgB
NlnxLnlmXnt9fe+dINx/+ChxPTQthfaDgSGVvFK29zHZIHOQwsmkDEmLVj0b7Hj2
nakTODeDtHXGcZ/acgruX7bIw37+emznvzYSehxVfw+K0DeGMZpZkTgY6StsC0cM
3LsDouOVl7MRnudYILXq/BAmwFo49s6zJUNRYFMkz0O9PiDhB7HEVCJnTldNh6mX
hLxJrqVbSyDuOwhW6fwl4ElLVXp9eG/GiMxfzA0CaTihWestJTR+2pQcO9TgC9i0
Gw5QWDZYwL4Ts3+2DZcUuOciWIQ9VkoExuvZj3GrlaCI5BhslS1jxWVXvEfvK32N
gliAYdPtxiqZeQiwIHZlRt8vCTFKHIxUJM1pQxlPtFgXiy0zj/nBBbo4uqRtE7oo
dNTiVb7k+DBSAa6RJEakY0kDrpZOPZvk95JfmgHcSS0aVSGfsnFppREoM6dAGe7V
mai7xONMasH5EEzMxPz6D+/1xksl9IjsuSlVYFOSN4nCaoVV9m5ZA6yybCLnsQmn
gJpzPctvBAAdWHDgZVUImooEUW2FbDTlRdxtD/Qu13lTjAGUhGE=
=lThx
-----END PGP SIGNATURE-----