Package: cpp-httplib X-Debbugs-CC: [email protected] Severity: grave Tags: security
Hi, The following vulnerabilities were published for cpp-httplib. CVE-2025-52887[0]: | cpp-httplib is a C++11 single-file header-only cross platform | HTTP/HTTPS library. In version 0.21.0, when many http headers fields | are passed in, the library does not limit the number of headers, and | the memory associated with the headers will not be released when the | connection is disconnected. This leads to potential exhaustion of | system memory and results in a server crash or unresponsiveness. | Version 0.22.0 contains a patch for the issue. https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9 (v0.22.0) This might be specific to 0.21, but needs confirmation. CVE-2025-53628[1]: | cpp-httplib is a C++11 single-file header-only cross platform | HTTP/HTTPS library. Prior to 0.20.1, cpp-httplib does not have a | limit for a unique line, permitting an attacker to explore this to | allocate memory arbitrarily. This vulnerability is fixed in 0.20.1. | NOTE: This vulnerability is related to CVE-2025-53629. https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-j6p8-779x-p5pw https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e (v0.20.1) CVE-2025-53629[2]: | cpp-httplib is a C++11 single-file header-only cross platform | HTTP/HTTPS library. Prior to 0.23.0, incoming requests using | Transfer-Encoding: chunked in the header can allocate memory | arbitrarily in the server, potentially leading to its exhaustion. | This vulnerability is fixed in 0.23.0. NOTE: This vulnerability is | related to CVE-2025-53628. https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qjmq-h3cc-qv6w https://github.com/yhirose/cpp-httplib/commit/17ba303889b8d4d719be3879a70639ab653efb99 (v0.23.0) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-52887 https://www.cve.org/CVERecord?id=CVE-2025-52887 [1] https://security-tracker.debian.org/tracker/CVE-2025-53628 https://www.cve.org/CVERecord?id=CVE-2025-53628 [2] https://security-tracker.debian.org/tracker/CVE-2025-53629 https://www.cve.org/CVERecord?id=CVE-2025-53629 Please adjust the affected versions in the BTS as needed.
