Source: cpp-httplib Version: 0.18.7-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for cpp-httplib. CVE-2025-46728[0]: | cpp-httplib is a C++ header-only HTTP/HTTPS server and client | library. Prior to version 0.20.1, the library fails to enforce | configured size limits on incoming request bodies when `Transfer- | Encoding: chunked` is used or when no `Content-Length` header is | provided. A remote attacker can send a chunked request without the | terminating zero-length chunk, causing uncontrolled memory | allocation on the server. This leads to potential exhaustion of | system memory and results in a server crash or unresponsiveness. | Version 0.20.1 fixes the issue by enforcing limits during parsing. | If the limit is exceeded at any point during reading, the connection | is terminated immediately. A short-term workaround through a Reverse | Proxy is available. If updating the library immediately is not | feasible, deploy a reverse proxy (e.g., Nginx, HAProxy) in front of | the `cpp-httplib` application. Configure the proxy to enforce | maximum request body size limits, thereby stopping excessively large | requests before they reach the vulnerable library code. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-46728 https://www.cve.org/CVERecord?id=CVE-2025-46728 [1] https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-px83-72rx-v57c [2] https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e Please adjust the affected versions in the BTS as needed. Regards, Salvatore
