CVE-2025-46728 is a high-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the yhirose cpp-httplib, a popular C++ header-only HTTP/HTTPS server and client library. Versions prior to 0.20.1 do not properly enforce configured size limits on incoming HTTP request bodies when the Transfer-Encoding header is set to chunked or when the Content-Length header is missing. Specifically, an attacker can send a chunked HTTP request without the required terminating zero-length chunk, causing the server to allocate memory indefinitely while waiting for the end of the request body. This uncontrolled memory allocation can exhaust system resources, leading to server crashes or unresponsiveness, effectively resulting in a denial-of-service (DoS) condition. The vulnerability does not impact confidentiality or integrity but severely affects availability. The issue was addressed in version 0.20.1 by enforcing size limits during the parsing of chunked requests and terminating connections immediately if limits are exceeded. For organizations unable to upgrade promptly, a recommended short-term mitigation is to deploy a reverse proxy such as Nginx or HAProxy in front of the cpp-httplib-based application. The proxy should be configured to enforce strict maximum request body size limits, preventing oversized or malformed requests from reaching the vulnerable library. No known exploits are currently reported in the wild, but the vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. The CVSS v3.1 score is 7.5 (High), reflecting the ease of exploitation and significant impact on availability.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on cpp-httplib in their C++ applications exposed to the internet or internal networks. Exploitation can lead to denial-of-service conditions, causing service outages, degraded performance, and potential disruption of critical business operations. This is particularly concerning for sectors such as finance, healthcare, telecommunications, and public services where high availability is essential. Additionally, prolonged unavailability could lead to reputational damage and regulatory scrutiny under frameworks like GDPR if service disruptions affect customer data access or processing. Since the vulnerability can be triggered remotely without authentication, attackers can easily target exposed services, increasing the risk of widespread disruption. The lack of known exploits in the wild currently provides a window for mitigation, but the vulnerability’s nature suggests it could be weaponized in automated DoS campaigns. Organizations using cpp-httplib in embedded systems or IoT devices may also face challenges due to limited patching capabilities, increasing the risk of persistent exposure.

1. Immediate upgrade to cpp-httplib version 0.20.1 or later to ensure proper enforcement of request body size limits during chunked transfer encoding parsing. 2. If upgrading is not immediately feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of the vulnerable application. Configure the proxy to enforce strict maximum request body size limits and reject requests exceeding these limits before they reach the backend. 3. Implement network-level protections such as rate limiting and anomaly detection to identify and block suspicious traffic patterns indicative of DoS attempts. 4. Conduct thorough testing of the application’s handling of chunked requests post-mitigation to confirm that limits are enforced correctly and that malformed requests are rejected gracefully. 5. Monitor logs and network traffic for unusual spikes in request sizes or incomplete chunked requests that may indicate exploitation attempts. 6. For embedded or IoT deployments using cpp-httplib, evaluate the feasibility of firmware updates or network segmentation to isolate vulnerable devices. 7. Maintain an incident response plan to quickly address potential DoS incidents stemming from this vulnerability.