Your message dated Sun, 17 Aug 2025 17:00:10 +0000
with message-id <[email protected]>
and subject line Bug#1109340: fixed in cpp-httplib 0.25.0+ds-1
has caused the Debian Bug report #1109340,
regarding cpp-httplib: CVE-2025-52887 CVE-2025-53628 CVE-2025-53629
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1109340: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109340
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cpp-httplib
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for cpp-httplib.
CVE-2025-52887[0]:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. In version 0.21.0, when many http headers fields
| are passed in, the library does not limit the number of headers, and
| the memory associated with the headers will not be released when the
| connection is disconnected. This leads to potential exhaustion of
| system memory and results in a server crash or unresponsiveness.
| Version 0.22.0 contains a patch for the issue.
https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjhg-gf59-p92h
https://github.com/yhirose/cpp-httplib/commit/28dcf379e82a2cdb544d812696a7fd46067eb7f9
(v0.22.0)
This might be specific to 0.21, but needs confirmation.
CVE-2025-53628[1]:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. Prior to 0.20.1, cpp-httplib does not have a
| limit for a unique line, permitting an attacker to explore this to
| allocate memory arbitrarily. This vulnerability is fixed in 0.20.1.
| NOTE: This vulnerability is related to CVE-2025-53629.
https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-j6p8-779x-p5pw
https://github.com/yhirose/cpp-httplib/commit/7b752106ac42bd5b907793950d9125a0972c8e8e
(v0.20.1)
CVE-2025-53629[2]:
| cpp-httplib is a C++11 single-file header-only cross platform
| HTTP/HTTPS library. Prior to 0.23.0, incoming requests using
| Transfer-Encoding: chunked in the header can allocate memory
| arbitrarily in the server, potentially leading to its exhaustion.
| This vulnerability is fixed in 0.23.0. NOTE: This vulnerability is
| related to CVE-2025-53628.
https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-qjmq-h3cc-qv6w
https://github.com/yhirose/cpp-httplib/commit/17ba303889b8d4d719be3879a70639ab653efb99
(v0.23.0)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-52887
https://www.cve.org/CVERecord?id=CVE-2025-52887
[1] https://security-tracker.debian.org/tracker/CVE-2025-53628
https://www.cve.org/CVERecord?id=CVE-2025-53628
[2] https://security-tracker.debian.org/tracker/CVE-2025-53629
https://www.cve.org/CVERecord?id=CVE-2025-53629
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: cpp-httplib
Source-Version: 0.25.0+ds-1
Done: Andrea Pappacoda <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cpp-httplib, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andrea Pappacoda <[email protected]> (supplier of updated cpp-httplib package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Aug 2025 20:27:58 +0200
Binary: libcpp-httplib0.25 libcpp-httplib0.25-dbgsym libcpp-httplib-dev
Source: cpp-httplib
Architecture: amd64 source
Version: 0.25.0+ds-1
Distribution: experimental
Urgency: medium
Maintainer: Andrea Pappacoda <[email protected]>
Changed-By: Andrea Pappacoda <[email protected]>
Closes: 1109340
Description:
libcpp-httplib0.25 - C++ HTTP/HTTPS server and client library
libcpp-httplib-dev - C++ HTTP/HTTPS server and client library - development
files
Changes:
cpp-httplib (0.25.0+ds-1) experimental; urgency=medium
.
* Update to new upstream version 0.25.0+ds.
.
* Fix numerous CVEs (Closes: #1109340):
- CVE-2025-52887 (Unlimited number of HTTP headers causes memory leak).
Version 0.22.0 adds a limit to the number of headers which can be passed
in an HTTP request, mitigating a possible DoS due to memory exhaustion.
.
- CVE-2025-53628 (HTTP Header Smuggling due to insecure trailers merge).
Version 0.23.0 changes the way HTTP trailer fields are handled so to
avoid an attacker to modify headers with prohibited trailers.
.
- CVE-2025-53629 (Unbounded Memory Allocation in Chunked Requests).
Version 0.23.0 complements the fix for CVE-2025-46728, actually solving
memory exhaustion attacks via chucked HTTP requests.
.
* d/control: libcpp-httplib0.20 -> libcpp-httplib0.25
* d/changelog: mention CVE-2025-46728 in 0.20.1+ds-1 changelog entry.
* d/rules: remove redundant file copy
Checksums-Sha1:
6905159ff473439ec66271f635e87e4bc86d3c8c 1824 cpp-httplib_0.25.0+ds-1.dsc
1aef4bc01d005cf9550923850051e4eb597d2588 737100
cpp-httplib_0.25.0+ds.orig.tar.xz
19eebbbae9457fd85f3072a88a19477d679867d4 5872
cpp-httplib_0.25.0+ds-1.debian.tar.xz
8e4045d131a9f0818ea67922b07014fd8a80d74a 8076
cpp-httplib_0.25.0+ds-1_amd64.buildinfo
67455f2873e9d13bf6832f69ace3e0384de39626 21320
libcpp-httplib-dev_0.25.0+ds-1_amd64.deb
f50db04cd7666fbf40e3f34dc50bcd45d0e7fd08 2565820
libcpp-httplib0.25-dbgsym_0.25.0+ds-1_amd64.deb
72e12e0cc867615ca0d4b3af036b59b617ad2879 225548
libcpp-httplib0.25_0.25.0+ds-1_amd64.deb
Checksums-Sha256:
6c1a147bd6a6041ee3b992d95f75ac74e4ad7459ea350e19e8bc7acd57d6a9e0 1824
cpp-httplib_0.25.0+ds-1.dsc
cd92a04dac06907c3ba983a8bac29ebc252b790b4c33aafb1b33ffb0a56470ec 737100
cpp-httplib_0.25.0+ds.orig.tar.xz
cc3b930c6a4d58e7dcdae2f99eec2fb6e00b5d2e07b818b71a303c5d329b5e46 5872
cpp-httplib_0.25.0+ds-1.debian.tar.xz
868276b25d53424a787d309d6c00bef9ac14c26953ca6f764f24f2ae63e41cdc 8076
cpp-httplib_0.25.0+ds-1_amd64.buildinfo
8af454334a50f3a663477552339504e3e1c8ba25aa5a405659d84ce041febdd6 21320
libcpp-httplib-dev_0.25.0+ds-1_amd64.deb
ab424be050427c771b0bc1cbdfd8cdbad85c1764b16d209bd134e307811b34cf 2565820
libcpp-httplib0.25-dbgsym_0.25.0+ds-1_amd64.deb
85c1589b717f4fa0b4b9d5207806b6c6cee1dc24192016f8a0ab0945a51e235d 225548
libcpp-httplib0.25_0.25.0+ds-1_amd64.deb
Files:
e670cb89d2a0c7d19f9038cca2d5b934 1824 libs optional cpp-httplib_0.25.0+ds-1.dsc
8fd07b577fc95d9bbc50fbadaa1def14 737100 libs optional
cpp-httplib_0.25.0+ds.orig.tar.xz
8ef9848aefb54e5ac30b63416234de29 5872 libs optional
cpp-httplib_0.25.0+ds-1.debian.tar.xz
4cc8db4bcbf8f0101826e9a1f1f12ddc 8076 libs optional
cpp-httplib_0.25.0+ds-1_amd64.buildinfo
6f9c104d60e605f997dec48c8606a6a9 21320 libdevel optional
libcpp-httplib-dev_0.25.0+ds-1_amd64.deb
be7f6bba01c7a9b3ba0b3f5f1e54d6b2 2565820 debug optional
libcpp-httplib0.25-dbgsym_0.25.0+ds-1_amd64.deb
ce878dcc9634ceffcac8fcde13141e3e 225548 libs optional
libcpp-httplib0.25_0.25.0+ds-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iIcEARYKAC8WIQS6VuNIvZRFHt7JcAdKkgiiRVB3pwUCaKDPbhEcdGFjaGlAZGVi
aWFuLm9yZwAKCRBKkgiiRVB3p5mAAP94cVZH9jtJfIHpXzXCuu4YDn1OeqK5rPiD
8jYGGnpMnAD/RV2wiM5IVp/eeDNaK1liwlazgV8U7A2UuCXvOSBJCwA=
=w+VW
-----END PGP SIGNATURE-----
pgp_ToRGTaxrv.pgp
Description: PGP signature
--- End Message ---
