#1138578 cpp-httplib: CVE-2026-45352 CVE-2026-45372 CVE-2026-46527

Package:
src:cpp-httplib
Source:
src:cpp-httplib
Submitter:
Salvatore Bonaccorso
Date:
2026-05-31 19:21:01 UTC
Severity:
normal
Tags:
#1138578#5
Date:
2026-05-31 19:19:27 UTC
From:
To:
Hi,

The following vulnerabilities were published for cpp-httplib.

CVE-2026-45352[0]:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked
| Transfer-Encoding causes unbounded memory allocation and process
| crash. The ChunkedDecoder::read_payload function in cpp-httplib
| (httplib.h) parses the chunk-size field of HTTP chunked transfer
| encoding using std::strtoul(). Per the C standard (§7.22.1.4),
| strtoul silently accepts a leading minus sign, performing unsigned
| wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1
| (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects
| ULONG_MAX (the result of "-1"), but any other negative value such as
| "-2" passes validation. The resulting near-maximum value is stored
| in chunk_remaining and controls how many bytes the server's read
| loop consumes from the network. This vulnerability is fixed in
| 0.43.4.


CVE-2026-45372[1]:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. Prior to 0.44.0, when cpp-httplib's server
| parses an incoming request, it applies percent-decoding to every
| header value except Location and Referer. The validity check
| (is_field_value) is run before decoding, so encoded %0D%0A passes
| the check and is then expanded to a literal \r\n byte pair inside
| the stored header value. This vulnerability is fixed in 0.44.0.


CVE-2026-46527[2]:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. Prior to 0.44.0, When the server has called
| Server::set_trusted_proxies() with a non-empty trusted-proxy list,
| an attacker can send an HTTP request that includes an X-Forwarded-
| For header whose value parses to no valid IP segments. The code path
| then executes get_client_ip(), which calls front() on an empty
| std::vector—undefined behavior in C++. On typical implementations
| this manifests as abnormal process termination (denial of service).
| With Sanitizers enabled, you get an explicit runtime diagnostic.
| This vulnerability is fixed in 0.44.0.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-45352
https://www.cve.org/CVERecord?id=CVE-2026-45352
[1] https://security-tracker.debian.org/tracker/CVE-2026-45372
https://www.cve.org/CVERecord?id=CVE-2026-45372
[2] https://security-tracker.debian.org/tracker/CVE-2026-46527
https://www.cve.org/CVERecord?id=CVE-2026-46527

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore