CVE-2026-45352: CWE-20: Improper Input Validation in yhirose cpp-httplib
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.
AI Analysis
Technical Summary
The cpp-httplib C++11 header-only HTTP/HTTPS library versions before 0.43.4 improperly validate the chunk-size field in HTTP chunked transfer encoding. The function ChunkedDecoder::read_payload uses std::strtoul() to parse chunk sizes, which per C standard accepts a leading minus sign and performs unsigned wrap-around. While the library rejects the value for "-1", other negative values like "-2" pass validation, resulting in a near-maximum unsigned value being assigned to chunk_remaining. This causes the server to allocate excessive memory and potentially crash during the read loop. The vulnerability is addressed in version 0.43.4.
Potential Impact
An attacker can send a chunked HTTP request with a negative chunk-size (other than "-1") that passes validation and causes the server to allocate an extremely large amount of memory. This leads to unbounded memory allocation and a denial of service via process crash. There is no impact on confidentiality or integrity reported. The CVSS score is 5.3 (medium severity) reflecting a network attack vector, no privileges required, no user interaction, and impact limited to availability.
Mitigation Recommendations
Upgrade to cpp-httplib version 0.43.4 or later where this vulnerability is fixed. Patch status is not explicitly stated in the vendor advisory, but the description confirms the issue is resolved in 0.43.4. No other mitigations are indicated.
CVE-2026-45352: CWE-20: Improper Input Validation in yhirose cpp-httplib
Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.
CVSS v3.1
Score 5.3medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The cpp-httplib C++11 header-only HTTP/HTTPS library versions before 0.43.4 improperly validate the chunk-size field in HTTP chunked transfer encoding. The function ChunkedDecoder::read_payload uses std::strtoul() to parse chunk sizes, which per C standard accepts a leading minus sign and performs unsigned wrap-around. While the library rejects the value for "-1", other negative values like "-2" pass validation, resulting in a near-maximum unsigned value being assigned to chunk_remaining. This causes the server to allocate excessive memory and potentially crash during the read loop. The vulnerability is addressed in version 0.43.4.
Potential Impact
An attacker can send a chunked HTTP request with a negative chunk-size (other than "-1") that passes validation and causes the server to allocate an extremely large amount of memory. This leads to unbounded memory allocation and a denial of service via process crash. There is no impact on confidentiality or integrity reported. The CVSS score is 5.3 (medium severity) reflecting a network attack vector, no privileges required, no user interaction, and impact limited to availability.
Mitigation Recommendations
Upgrade to cpp-httplib version 0.43.4 or later where this vulnerability is fixed. Patch status is not explicitly stated in the vendor advisory, but the description confirms the issue is resolved in 0.43.4. No other mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T21:40:08.178Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19e68ee29bf47b50037d67
Added to database: 5/29/2026, 7:18:38 PM
Last enriched: 5/29/2026, 7:33:56 PM
Last updated: 5/29/2026, 8:23:37 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.