The cpp-httplib library, a popular single-header C++11 HTTP/HTTPS client and server library, contains a critical vulnerability identified as CVE-2026-31870. This vulnerability stems from improper handling of the Content-Length HTTP header when using the streaming API methods such as httplib::stream::Get and httplib::stream::Post. Specifically, the library calls std::stoull() directly on the Content-Length header value without validating the input or catching exceptions. If the Content-Length header contains non-numeric characters or a numeric value exceeding the maximum unsigned long long integer (ULLONG_MAX), std::stoull throws exceptions (std::invalid_argument or std::out_of_range). Because the library does not catch these exceptions, the C++ runtime invokes std::terminate(), causing the client process to abort immediately with a SIGABRT signal. This results in a deterministic and immediate denial-of-service condition. The vulnerability can be exploited by any server the client connects to, including legitimate servers, redirected endpoints, third-party APIs, or attackers positioned in man-in-the-middle roles. No authentication or user interaction is required to exploit this flaw, making it highly accessible. The vulnerability affects all versions of cpp-httplib prior to 0.37.1, where the issue has been fixed by adding proper input validation and exception handling around the Content-Length header parsing. The CVSS v3.1 base score is 7.5, reflecting a high severity due to network attack vector, no privileges or user interaction required, and a high impact on availability (denial of service). No known exploits are reported in the wild as of the publication date.

This vulnerability can cause immediate and deterministic crashes of any client application using vulnerable versions of cpp-httplib when connecting to a malicious or misconfigured server. The impact is a denial-of-service condition that affects availability, potentially disrupting critical services relying on cpp-httplib for HTTP communications. Since cpp-httplib is a widely used library in C++ projects, including embedded systems, IoT devices, and backend services, the scope of affected systems is broad. Attackers can exploit this vulnerability remotely without authentication or user interaction, increasing the risk of widespread disruption. Organizations using cpp-httplib in their software stacks may experience service outages, degraded reliability, or forced downtime. Additionally, attackers controlling man-in-the-middle positions or malicious third-party APIs can weaponize this flaw to crash client applications, potentially as part of larger attack campaigns. Although confidentiality and integrity are not directly impacted, the availability impact alone can have significant operational and reputational consequences.

To mitigate this vulnerability, organizations should upgrade all instances of cpp-httplib to version 0.37.1 or later, where the issue is fixed by adding input validation and exception handling around the Content-Length header parsing. If upgrading immediately is not feasible, developers should implement custom exception handling around calls to the streaming API to catch std::invalid_argument and std::out_of_range exceptions from std::stoull and prevent process termination. Additionally, validating the Content-Length header value before passing it to std::stoull can prevent malformed inputs from triggering exceptions. Network-level mitigations include filtering or blocking suspicious HTTP responses with malformed Content-Length headers, especially from untrusted or third-party servers. Employing TLS with strict certificate validation can reduce man-in-the-middle attack risks. Monitoring client application logs for unexpected crashes or SIGABRT signals can help detect exploitation attempts. Finally, developers should audit other parts of their codebase for similar unchecked exception risks when parsing external inputs.