CVE-2026-28435: CWE-400: Uncontrolled Resource Consumption in yhirose cpp-httplib
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0.
AI Analysis
Technical Summary
CVE-2026-28435 affects cpp-httplib, a widely used C++11 single-header HTTP/HTTPS library, in versions before 0.35.0. The vulnerability arises because the library fails to enforce the configured maximum payload size limit on decompressed HTTP request bodies when the HandlerWithContentReader is used in conjunction with compressed content encodings such as gzip. Specifically, while the library enforces Server::set_payload_max_length() on raw payload sizes, it does not apply this limit after decompression. This allows an attacker to send a small compressed payload that decompresses into a much larger payload, bypassing size restrictions. The consequence is uncontrolled resource consumption—CPU cycles and memory—potentially leading to denial of service conditions. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. The flaw is categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-409 (Improper Synchronization), indicating potential concurrency issues exacerbating resource exhaustion. The vulnerability was publicly disclosed in March 2026 and fixed in cpp-httplib version 0.35.0. No known exploits are currently reported in the wild, but the ease of exploitation and impact warrant urgent attention.
Potential Impact
This vulnerability can significantly impact organizations using cpp-httplib versions prior to 0.35.0 in their software stacks, especially those exposing HTTP/HTTPS services to untrusted networks. Attackers can exploit the flaw to cause denial of service by exhausting server CPU and memory resources through crafted compressed payloads that bypass size limits. This can lead to service outages, degraded performance, and increased operational costs due to resource overuse. Systems relying on cpp-httplib for critical services may experience downtime, affecting availability and potentially causing cascading failures in dependent systems. Since no authentication or user interaction is required, the attack surface is broad, and automated exploitation attempts could be feasible. Organizations with high-availability requirements or those operating in sectors such as finance, healthcare, or critical infrastructure may face heightened risks. Additionally, the vulnerability could be leveraged as part of multi-stage attacks to distract or disable defenses.
Mitigation Recommendations
The primary mitigation is to upgrade cpp-httplib to version 0.35.0 or later, where the vulnerability is fixed by enforcing payload size limits on decompressed content. Until upgrading is possible, organizations should implement strict network-level controls such as rate limiting, deep packet inspection, and filtering of suspicious compressed HTTP requests to limit potential abuse. Application-level mitigations include adding custom decompression size checks before processing payloads and employing resource quotas or timeouts on request handling threads to prevent resource exhaustion. Monitoring for abnormal CPU and memory usage patterns related to HTTP request processing can help detect exploitation attempts early. Additionally, consider isolating services using cpp-httplib in containerized or sandboxed environments to limit impact. Regularly review and update dependencies to incorporate security patches promptly.
Affected Countries
United States, Germany, Japan, South Korea, United Kingdom, France, Canada, Australia, Netherlands, Sweden
CVE-2026-28435: CWE-400: Uncontrolled Resource Consumption in yhirose cpp-httplib
Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.35.0, cpp-httplib (httplib.h) does not enforce Server::set_payload_max_length() on the decompressed request body when using HandlerWithContentReader (streaming ContentReader) with Content-Encoding: gzip (or other supported encodings). A small compressed payload can expand beyond the configured payload limit and be processed by the application, enabling a payload size limit bypass and potential denial of service (CPU/memory exhaustion). This vulnerability is fixed in 0.35.0.
AI-Powered Analysis
Technical Analysis
CVE-2026-28435 affects cpp-httplib, a widely used C++11 single-header HTTP/HTTPS library, in versions before 0.35.0. The vulnerability arises because the library fails to enforce the configured maximum payload size limit on decompressed HTTP request bodies when the HandlerWithContentReader is used in conjunction with compressed content encodings such as gzip. Specifically, while the library enforces Server::set_payload_max_length() on raw payload sizes, it does not apply this limit after decompression. This allows an attacker to send a small compressed payload that decompresses into a much larger payload, bypassing size restrictions. The consequence is uncontrolled resource consumption—CPU cycles and memory—potentially leading to denial of service conditions. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. The flaw is categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-409 (Improper Synchronization), indicating potential concurrency issues exacerbating resource exhaustion. The vulnerability was publicly disclosed in March 2026 and fixed in cpp-httplib version 0.35.0. No known exploits are currently reported in the wild, but the ease of exploitation and impact warrant urgent attention.
Potential Impact
This vulnerability can significantly impact organizations using cpp-httplib versions prior to 0.35.0 in their software stacks, especially those exposing HTTP/HTTPS services to untrusted networks. Attackers can exploit the flaw to cause denial of service by exhausting server CPU and memory resources through crafted compressed payloads that bypass size limits. This can lead to service outages, degraded performance, and increased operational costs due to resource overuse. Systems relying on cpp-httplib for critical services may experience downtime, affecting availability and potentially causing cascading failures in dependent systems. Since no authentication or user interaction is required, the attack surface is broad, and automated exploitation attempts could be feasible. Organizations with high-availability requirements or those operating in sectors such as finance, healthcare, or critical infrastructure may face heightened risks. Additionally, the vulnerability could be leveraged as part of multi-stage attacks to distract or disable defenses.
Mitigation Recommendations
The primary mitigation is to upgrade cpp-httplib to version 0.35.0 or later, where the vulnerability is fixed by enforcing payload size limits on decompressed content. Until upgrading is possible, organizations should implement strict network-level controls such as rate limiting, deep packet inspection, and filtering of suspicious compressed HTTP requests to limit potential abuse. Application-level mitigations include adding custom decompression size checks before processing payloads and employing resource quotas or timeouts on request handling threads to prevent resource exhaustion. Monitoring for abnormal CPU and memory usage patterns related to HTTP request processing can help detect exploitation attempts early. Additionally, consider isolating services using cpp-httplib in containerized or sandboxed environments to limit impact. Regularly review and update dependencies to incorporate security patches promptly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-27T15:54:05.139Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69a88c81d1a09e29cb6b4cbb
Added to database: 3/4/2026, 7:48:17 PM
Last enriched: 3/4/2026, 8:02:38 PM
Last updated: 3/4/2026, 9:06:30 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-70225: n/a
HighCVE-2025-70221: n/a
HighCVE-2025-46108: n/a
HighCVE-2025-70219: n/a
HighCVE-2026-28434: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in yhirose cpp-httplib
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.