CVE-2026-45352
Description
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard (§7.22.1.4), strtoul silently accepts a leading minus sign, performing unsigned wrap-around: strtoul("-2", …, 16) returns ULONG_MAX − 1 (0xFFFFFFFFFFFFFFFE). The library's only guard (line 12833) rejects ULONG_MAX (the result of "-1"), but any other negative value such as "-2" passes validation. The resulting near-maximum value is stored in chunk_remaining and controls how many bytes the server's read loop consumes from the network. This vulnerability is fixed in 0.43.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Negative chunk-size in cpp-httplib's chunked transfer encoding causes unbounded memory allocation leading to process crash.
Vulnerability
The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) incorrectly parses the chunk-size field of HTTP chunked transfer encoding using std::strtoul(). Per the C standard, strtoul silently accepts a leading minus sign, performing unsigned wrap-around. For example, strtoul("-2", …, 16) returns ULONG_MAX − 1. The library only rejects ULONG_MAX (the result of "-1"), so any other negative value like "-2" passes validation and results in a near-maximum value for chunk_remaining. This vulnerability affects versions prior to 0.43.4 [1].
Exploitation
An attacker with network access can send a crafted HTTP request that uses chunked transfer encoding and includes a negative chunk-size, such as "-2". No authentication or special privileges are required. The server then attempts to read a huge amount of data into memory, leading to unbounded memory allocation [1].
Impact
Successful exploitation causes the server process to crash due to std::bad_alloc from excessive memory allocation. This results in a denial of service (DoS). No data is disclosed or modified [1].
Mitigation
The vulnerability is fixed in cpp-httplib version 0.43.4. Users should upgrade to this version or later. No workarounds are documented [1].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<0.43.4+ 1 more
- (no CPE)range: <0.43.4
- (no CPE)range: < 0.43.4
Patches
3ec34abb910a6Merge pull request #22 from underscorediscovery/fix-includes
1 file changed · +4 −0
httplib.h+4 −0 modified@@ -9,8 +9,12 @@ #define _CPPHTTPLIB_HTTPLIB_H_ #ifdef _MSC_VER +#ifndef _CRT_SECURE_NO_WARNINGS #define _CRT_SECURE_NO_WARNINGS +#endif //_CRT_SECURE_NO_WARNINGS +#ifndef _CRT_NONSTDC_NO_DEPRECATE #define _CRT_NONSTDC_NO_DEPRECATE +#endif //_CRT_NONSTDC_NO_DEPRECATE #ifndef SO_SYNCHRONOUS_NONALERT #define SO_SYNCHRONOUS_NONALERT 0x20
df9428631c4aMerge pull request #17 from const-volatile/master
1 file changed · +1 −1
httplib.h+1 −1 modified@@ -1081,7 +1081,7 @@ inline bool Client::process_request(Stream& strm, const Request& req, Response& return false; } if (req.method != "HEAD") { - if (!detail::read_content(strm, res, false)) { + if (!detail::read_content(strm, res, true)) { return false; } }
0b00f3fba0e4Merge pull request #10 from DraTeots/patch-2
1 file changed · +1 −0
httplib.h+1 −0 modified@@ -41,6 +41,7 @@ typedef SOCKET socket_t; #include <cstring> #include <netinet/in.h> #include <arpa/inet.h> +#include <signal.h> #include <sys/socket.h> typedef int socket_t;
Vulnerability mechanics
Root cause
"Missing input validation in the chunk-size parser allows a negative value to wrap to a near-maximum unsigned size via strtoul()."
Attack vector
A remote, unauthenticated attacker sends an HTTP POST request with `Transfer-Encoding: chunked` and a chunk-size of `-2` (or any negative value other than `-1`). The server's `strtoul()` call wraps this to `ULONG_MAX-1` (`0xFFFFFFFFFFFFFFFE`), causing the read loop to believe the chunk is approximately 2^64 bytes. The server then accumulates attacker-supplied data into memory without limit, leading to `std::bad_alloc` and process termination via `SIGABRT`. With parallel connections the crash occurs within 2–3 seconds [ref_id=1].
Affected code
The vulnerability is in `ChunkedDecoder::read_payload` in `httplib.h` (lines 12830–12843). The function uses `std::strtoul()` to parse the chunk-size field and only rejects `ULONG_MAX` (the result of `-1`), but any other negative value such as `-2` passes validation and wraps to a near-maximum unsigned value.
What the fix does
The patch does not directly address the negative chunk-size parsing issue; the three merged pull requests in the patch set only fix build-system concerns (Windows macro guards, a `read_content` parameter, and a missing `#include <signal.h>`). The advisory [ref_id=1] notes that the fix is in version 0.43.4, but the provided patches do not show the actual validation change. The advisory recommends rejecting any chunk-size that contains a leading minus sign, as RFC 9112 §7.1 defines chunk-size as `1*HEXDIG` and a minus sign is not a valid hex digit.
Preconditions
- configThe server must accept chunked request bodies (e.g., via POST, PUT, PATCH handlers with a content reader).
- authNo authentication is required; the attacker can be unauthenticated and remote.
- networkThe attacker must be able to send arbitrary HTTP requests to the server over the network.
- inputThe attacker sends a chunk-size field with a leading minus sign (e.g., '-2') in the chunked transfer encoding.
Reproduction
Build the server from the provided `server.cpp` and `Makefile`, then run `python3 exploit.py <host> <port>` (the exploit script is included in the advisory). The server crashes with SIGABRT within seconds [ref_id=1].
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.