[libmicrohttpd] GNU libmicrohttpd 1.0.5 released

Thu, 16 Apr 2026 01:44:19 -0700 

Dear all,

We are happy to announce the release of GNU libmicrohttpd 1.0.5.

This release mostly fixes a minor HTTP request header smuggling
vulnerability discovered by SySS [1] where MHD ignores the existence of duplicate headers (such as "Content-Length") instead of rejecting the 
HTTP request as per RFCs.
[1] https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2026-018.txt 


About GNU libmicrohttpd
=======================

GNU libmicrohttpd is a small C library that makes it easy to run an
HTTP server as part of another application. GNU Libmicrohttpd is free
software and an official GNU package.  Key features that distinguish
GNU libmicrohttpd from other projects are:

* C library: fast and small
* API is expressive and fully reentrant
* Implementation is HTTP 1.1 compliant
* HTTP server can listen on multiple ports
* Various threading modes
* Three different sockets polling modes
* Broad platform support
* Support for IPv4 and IPv6
* Support for incremental processing of POST data
* Support for basic and digest authentication
* Support for TLS (requires libgnutls)

Do not use GNU libmicrohttpd if you are looking for a standalone HTTP
server, there are many other projects out there that provide that kind
of functionality already. However, if you want to be able to serve
HTTP requests from within your C or C++ application, check it out!

GNU libmicrohttpd has been primarily developed by the GNU maintainers
Evgeny Grin and Christian Grothoff over the last 20 years with the
help of a large community contributing features, bug reports and bug
fixes.


Changes
=======
This release fixes the HTTP header parsing logic to make sure certain HTTP headers are unique, rejecting malformed requests outright instead 
of exposing applications to them.


Download
========

You can download GNU libmicrohttpd from:

* https://ftp.gnu.org/gnu/libmicrohttpd/ and all GNU FTP mirrors.
* Our Git repository at git://git.gnunet.org/libmicrohttpd.git

Please report bugs to our bugtracker at
https://bugs.gnunet.org/set_project.php?project_id=10.

The documentation (including a reference manual and tutorial) can be
found at https://gnu.org/s/libmicrohttpd.



Happy hacking!

Evgeny & Christian

Reply via email to