The vulnerability CVE-2026-28435 affects cpp-httplib, a widely used C++11 single-header HTTP/HTTPS library, in versions prior to 0.35.0. The root cause is that when using the HandlerWithContentReader interface to process streaming HTTP request bodies with Content-Encoding such as gzip, the library fails to enforce the Server::set_payload_max_length() limit on the decompressed data size. This means that an attacker can send a small compressed payload that, once decompressed, expands beyond the configured maximum payload size. Because the library processes the decompressed data without size checks, this leads to uncontrolled resource consumption, specifically CPU cycles and memory allocation, potentially exhausting server resources and causing denial of service (DoS). The vulnerability is categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-409 (Improper Synchronization, though the main issue is resource exhaustion). The CVSS v3.1 score is 7.5 (high), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts availability without affecting confidentiality or integrity. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and fixed in version 0.35.0 of cpp-httplib. Since cpp-httplib is a header-only library often embedded in custom C++ applications, the impact depends on the deployment context. The vulnerability is particularly relevant for applications that accept compressed HTTP requests and rely on cpp-httplib for request handling without additional payload size enforcement on decompressed content.

This vulnerability can have significant impact on organizations using cpp-httplib versions prior to 0.35.0 in their HTTP server implementations. Attackers can exploit the flaw to bypass payload size limits by sending small compressed requests that decompress into large payloads, leading to excessive CPU and memory consumption. This can cause denial of service conditions, crashing or severely degrading the performance of affected services. The impact is availability-focused, potentially disrupting critical web services or APIs that rely on cpp-httplib. Since exploitation requires no authentication and can be performed remotely, any exposed service using vulnerable versions is at risk. The scope includes any organization embedding cpp-httplib in their software stack, including cloud service providers, IoT device manufacturers, and enterprises with custom C++ HTTP servers. The lack of known exploits in the wild reduces immediate risk, but the public disclosure and high CVSS score indicate a strong incentive for attackers to develop exploits. Failure to patch could lead to service outages, reputational damage, and operational disruption.

The primary mitigation is to upgrade cpp-httplib to version 0.35.0 or later, where the vulnerability is fixed by enforcing payload size limits on decompressed request bodies. For organizations unable to upgrade immediately, implement additional controls such as: 1) Deploying web application firewalls (WAFs) or reverse proxies that limit request body sizes both compressed and decompressed, if supported. 2) Monitoring and rate-limiting incoming requests with compressed content to detect and block abnormal payload expansion patterns. 3) Applying resource usage quotas or limits at the application or container level to prevent CPU and memory exhaustion. 4) Auditing application code to ensure no other decompression or streaming handlers bypass payload size enforcement. 5) Logging and alerting on unusually large decompressed payloads or resource spikes. These measures help reduce the risk of denial of service while planning and executing the upgrade. Additionally, developers should review usage of HandlerWithContentReader and ensure that any custom content readers enforce size limits on decompressed data.